General

  • Target

    installer.zip

  • Size

    4.0MB

  • Sample

    240208-zaemfacb57

  • MD5

    00d72d592df823cb8083c9e190fc2cad

  • SHA1

    9d31c129f5269c8aa167bc6f843d294ae7bdcbe1

  • SHA256

    6b5bb2e211da224dad374058f89f60507e2d6d37326c66f01e2be2c9bd3331d8

  • SHA512

    6de34353a6015cd0ccbe3f96d2be4010ad5cd811e34af682ee97025a78f6bbce7ff52954374179e5478b22c2abad56fb6348faa2b4a9b4702d5a613874f0b30e

  • SSDEEP

    98304:En8fq+vnJ+K8SIPyOiLa/QZp1qaChwLJiAa5:E8fzvnEpSkQtfvLfA

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

http://good2-led.com/dark4.bs64

Targets

    • Target

      installer.exe

    • Size

      6.4MB

    • MD5

      3935cf102e1dad3eff8c0b85c27ecc91

    • SHA1

      40a9d6eafb61efef639bf7cf46d2d8f326f0ac53

    • SHA256

      fc8af82be87e8933e8e1a48999a412b5b240815c32de17d4ec5963f83a8381f3

    • SHA512

      8c2a59cc6e5f9bae05c3d06e510e169e724c7a16365ec43ddd13a81373cfe2255dac12acf385aba5b61b7667b4d2481ee8d954064390868cea6b1f7e9fe87b61

    • SSDEEP

      98304:OAs++BUHecpbpx+sborjZGS/mihRXnH9EEkXDc7hYuIH15KaaABXMUI:OAKBx4px+sNM32pD25IfKa3BXa

    Score
    10/10
    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks