General

  • Target

    8507630f173a2b6429290c725cc704488616c708563234f603f1b0fdf461de10

  • Size

    3.5MB

  • Sample

    240131-xqw6bacfcq

  • MD5

    9e9e81d291e332e54ba86fbbb6129672

  • SHA1

    a4cc360cc0f136ac80dcd0d9745f2f8165de10dc

  • SHA256

    8507630f173a2b6429290c725cc704488616c708563234f603f1b0fdf461de10

  • SHA512

    27090713294a967c257d8471b164e8027595e8c559bedd2bfee07b4dbb5dc42f64fa40e056624b4d6a1b218a0a6f4e88e9971af3644658655d9fd368eedd8a8d

  • SSDEEP

    98304:WkpzJNAVX98ETASa0e+t0J+g5KtT8ySJ47VpSm:pxAJ9AsrG+g5U8VJeVp

Malware Config

Targets

    • Target

      8507630f173a2b6429290c725cc704488616c708563234f603f1b0fdf461de10

    • Size

      3.5MB

    • MD5

      9e9e81d291e332e54ba86fbbb6129672

    • SHA1

      a4cc360cc0f136ac80dcd0d9745f2f8165de10dc

    • SHA256

      8507630f173a2b6429290c725cc704488616c708563234f603f1b0fdf461de10

    • SHA512

      27090713294a967c257d8471b164e8027595e8c559bedd2bfee07b4dbb5dc42f64fa40e056624b4d6a1b218a0a6f4e88e9971af3644658655d9fd368eedd8a8d

    • SSDEEP

      98304:WkpzJNAVX98ETASa0e+t0J+g5KtT8ySJ47VpSm:pxAJ9AsrG+g5U8VJeVp

    • Detected google phishing page

    • Modifies Windows Defender Real-time Protection settings

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Windows security modification

    • Accesses Microsoft Outlook profiles

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • AutoIT Executable

      AutoIT scripts compiled to PE executables.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks