Resubmissions
26-03-2024 12:05
240326-n9lz1scf8y 10General
-
Target
Panda Free Antivirus - Free download and software reviews - CNET Download.html
-
Size
514KB
-
Sample
240326-n9lz1scf8y
-
MD5
001108a26e1623fe1837fcf060c622e3
-
SHA1
9587a3478a713e90a357299d2dfe3e816ee1b184
-
SHA256
fa05724ca2250316e8ea410d385a3a9f149e7f3678cac1016343174d16827d43
-
SHA512
5229470b0898ba44254920445bb57f27470eff12cb6e7d9f7393841bde3f2fd856af795d41dd9b4204f7a86c57632e22a723ab6c3818a8214661ae64a897b306
-
SSDEEP
6144:ashDcsPdQlfAbauRzj3deFhUgbydWUDT29vGgR16/krPPi5fHQ4qeYo49QsKwPTJ:ashDcsPdQwahFhUgTvRHPPidA
Static task
static1
Malware Config
Extracted
amadey
4.19
http://185.196.10.188
http://45.159.189.140
http://89.23.103.42
-
install_dir
b4e248fdbd
-
install_file
Dctooux.exe
-
strings_key
01edd7c913096383774168b5aeebc95e
-
url_paths
/hb9IvshS/index.php
/hb9IvshS2/index.php
/hb9IvshS3/index.php
Targets
-
-
Target
Panda Free Antivirus - Free download and software reviews - CNET Download.html
-
Size
514KB
-
MD5
001108a26e1623fe1837fcf060c622e3
-
SHA1
9587a3478a713e90a357299d2dfe3e816ee1b184
-
SHA256
fa05724ca2250316e8ea410d385a3a9f149e7f3678cac1016343174d16827d43
-
SHA512
5229470b0898ba44254920445bb57f27470eff12cb6e7d9f7393841bde3f2fd856af795d41dd9b4204f7a86c57632e22a723ab6c3818a8214661ae64a897b306
-
SSDEEP
6144:ashDcsPdQlfAbauRzj3deFhUgbydWUDT29vGgR16/krPPi5fHQ4qeYo49QsKwPTJ:ashDcsPdQwahFhUgTvRHPPidA
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
XMRig Miner payload
-
Blocklisted process makes network request
-
Creates new service(s)
-
Downloads MZ/PE file
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Writes to the Master Boot Record (MBR)
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Pre-OS Boot
1Bootkit
1Credential Access
Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1