General
-
Target
setup.exe
-
Size
6.3MB
-
Sample
240209-vqbs9seh42
-
MD5
83a983840c0c52b642bb2b53c8e03351
-
SHA1
2afa649f780b9b1c2fad77798480e0c9e5b56944
-
SHA256
6ac07ce849ad258cf9b47ca9767badc6ee867962cdcbe470cbe0d02ddb7437e8
-
SHA512
7d351f0ab347271bcbeefea27531136aba9344ae163d83d8c42116fbee93c26ed2122fcfc9dc323515a24d52ce721804b475cd735adaa7fe82f94b18bf21bbee
-
SSDEEP
98304:lAs++BUHecpbpx+sborjZGS/m9EnRXnH9EEkXl983ZbGT5oESkS:lAKBx4px+sNjC32plXG4S
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win10v2004-20231215-en
Malware Config
Extracted
http://good2-led.com/dark4.bs64
Targets
-
-
Target
setup.exe
-
Size
6.3MB
-
MD5
83a983840c0c52b642bb2b53c8e03351
-
SHA1
2afa649f780b9b1c2fad77798480e0c9e5b56944
-
SHA256
6ac07ce849ad258cf9b47ca9767badc6ee867962cdcbe470cbe0d02ddb7437e8
-
SHA512
7d351f0ab347271bcbeefea27531136aba9344ae163d83d8c42116fbee93c26ed2122fcfc9dc323515a24d52ce721804b475cd735adaa7fe82f94b18bf21bbee
-
SSDEEP
98304:lAs++BUHecpbpx+sborjZGS/m9EnRXnH9EEkXl983ZbGT5oESkS:lAKBx4px+sNjC32plXG4S
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Executes dropped EXE
-
Loads dropped DLL
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-