General

  • Target

    your_files.zip

  • Size

    5.9MB

  • Sample

    240208-w93a1aah95

  • MD5

    902e95ea4382d1f9e340ed9f0068bf7a

  • SHA1

    60548f452f515a2f5bf1af2db1691815f2900d05

  • SHA256

    b59f6f116736248cd4fe60b02956a13e7c87b7a25effc8a1b026df1edb67a0bf

  • SHA512

    548fcaa92f20a5f8acc78048b239ea837e70f9adaa69834328bed5255eb7f17e0f9a96ae2d89c3f252da02a23b48cc4a00eaa7d62c27cbaeccb223aabfb2bc16

  • SSDEEP

    98304:wqDSk9A7Y/6oCk0Z/n9VRlxir0eh67pt40Z1/h1N+KOJ4L/kAOFyv23RF/Uf:wqDSxE7D0ZnPxleh6Q0Z1r82AG2BSf

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://good2-led.com/dark4.bs64

Targets

    • Target

      libs/DismApi.dll

    • Size

      1.0MB

    • MD5

      c0d799e0350cbef1f37d1c2ad6e29cbd

    • SHA1

      d073f3960f085161d960d66d20532f81cfe49c9d

    • SHA256

      43c37555d8dbd9aec78cd1609ff1defce1c8e5110c6fc5bb24e6382472a28ef3

    • SHA512

      a21b9b7c1397bc7844857cb56644070ab473c43891a88453311eb5be4b63c3a21ad7c8df116d2549db51f50975bf885f4d768b8edaf06d17a9d7333315a443c7

    • SSDEEP

      24576:2BfTsBflzkUnEDbjaLXGNaFUxk0NhW39B3:kfwUD3aL8Lk0NhKz

    Score
    1/10
    • Target

      libs/Windows.Graphics.dll

    • Size

      553KB

    • MD5

      29bbe29eaefbc1fd7df09e5730619af0

    • SHA1

      df0c487b5eba7f05b4acc4365c45745f3e565ea2

    • SHA256

      81252237cefbc6058842c1db98067d5bd1d7819b18367be889f6f6dd326c64cd

    • SHA512

      6400546bbf6c400c1660b4a5ad88b5b22f9447fad0ff938543e69d9b081020e6c4b583b2edcf5cf082ff59643164052bb8ecc147199cd74011cb1be7e41d0672

    • SSDEEP

      6144:v2b4x5qM/VRCEU/UUL9SpUUkNslL1tKPjvt+/e4OO7Y8nR7kE1TRYl0YH2Cr:v2b8xUD9nN9PbY/e18Rgse0Sr

    Score
    1/10
    • Target

      libs/WsmSvc.dll

    • Size

      2.7MB

    • MD5

      755911a56e00ddf72c6bfab78180d767

    • SHA1

      4dfddfc3fa74480f8f9aa9e4dbac0ee05d1b3cfb

    • SHA256

      349d1a4975ef317ded64dd290a5a0604ee83c5a67626e44cd9ed79efa84d2a04

    • SHA512

      f2bfcec0f8dac8e03873ac193ae9b660764bb43bacddafbfd0bef39c7624877d19e8e85f8222090a30d00620c06e59ed251bf2d915ade56edcdddbcf3f0c77d8

    • SSDEEP

      49152:rQ+cx7sQ/Rn18YTsR3QZvmIkJ1QT2IOmK3UunAh7/jNGSeUXcgqxSQvL:m7sQBPT2jJ1QT2IjC

    Score
    1/10
    • Target

      libs/ortcengine.dll

    • Size

      1008KB

    • MD5

      1d7fc8a9241de652e481776e99aa3d46

    • SHA1

      175936d4706447d8ac5a30c6964a8ad8136d10f2

    • SHA256

      78f39ebbc9307b823296f7c37ec387fadf7cb4e9969449833d90366a65865752

    • SHA512

      f5dff88bb578452daa93329d7804e7f7051a9e542bf0b70b567bcf8268b7514936948f26c46fedff1ef8ba2d5255d74291fc3b073b30e7b9c599b4ac3ba11f9e

    • SSDEEP

      24576:evPC6nGvJA20cc8lf2BY4vgqsgv1AQOVC4:evPC6kicc8lf2q4vLsk1AQOp

    Score
    1/10
    • Target

      setup.exe

    • Size

      6.4MB

    • MD5

      1ccc055f28eb610f226a41e522205cf6

    • SHA1

      09e7a271e7b4f4aa2a27b9353c8244412f700898

    • SHA256

      7b3badb65f68f1add7ef8d794cc8c2a9740aeedc37030bf6414a14f58c48f43b

    • SHA512

      f6feb6170724653b850e1c5e0d38d1d225b8da9ba1a79badd9d08b9ff888fb8020414e8312de5a67ae33e34edbf4deb882670d82abefedf0b5ed9d2a32ae59c2

    • SSDEEP

      98304:OAs++BUHecpbpx+sborjZGS/mCVRXnH9EEkXCCnw68uI+cqulMO3uf:OAKBx4px+sNs32pCZ1V+f

    Score
    10/10
    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks