General

  • Target

    setup.zip

  • Size

    7.5MB

  • Sample

    240329-jzdtfadf77

  • MD5

    8a0347b2b1dcfa882947539c6165326c

  • SHA1

    7637fbc5ad38e4c39d74202cec7138125b100893

  • SHA256

    b2045d805874c29a618be48bec7b68b3eab23cb4a42464d3d64327a621134dbb

  • SHA512

    33686f047e8c8fda89701499708b0021fe9c8e6bfcf4b493a3c34c85d08a4221554212f9fbf208910f72c28f23b39879b9dbc3d9afd9c5686bd4d8ee1c2d818e

  • SSDEEP

    196608:8Gun5Ll0oHlvNPRQXG0Zm/hc2kAjqZhNFaJnhuoia:YLBHlvAh+hcFoqZhLinhj9

Score
10/10

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://curlhub.monster/newdrop.bs64

Targets

    • Target

      setup.msi

    • Size

      8.5MB

    • MD5

      86a68878633d570e195609fe33640561

    • SHA1

      5a5355a80750693493c4ff9d4184d3234ad62b73

    • SHA256

      7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92

    • SHA512

      502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9

    • SSDEEP

      196608:zN7EYGIfVlhQ+gtODuwjWT6mPLJo/QkPM27rMr:z+3IfVlhQ+glwY6AW/h37rM

    Score
    10/10
    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks