Overview

overview

10

Static

static

3

authz/FXSST.dll

windows11-21h2-x64

1

authz/authz.dll

windows11-21h2-x64

1

authz/clbcatq.dll

windows11-21h2-x64

7

authz/dcntel.dll

windows11-21h2-x64

1

mf/License...se.rtf

windows11-21h2-x64

1

mf/License...se.rtf

windows11-21h2-x64

1

mf/License...se.rtf

windows11-21h2-x64

1

mf/mf.dll

windows11-21h2-x64

1

mf/mspatchc.dll

windows11-21h2-x64

1

mf/wevtsvc.dll

windows11-21h2-x64

1

ninput/lsasrv.dll

windows11-21h2-x64

1

ninput/mlang.dll

windows11-21h2-x64

1

ninput/ninput.dll

windows11-21h2-x64

1

setup.msi

windows11-21h2-x64

10

Sharing

Copy URL Twitter E-mail

General

  • Target

    setup.zip

  • Size

    7.5MB

  • Sample

    240329-prwbeahd85

  • MD5

    5655d824a2b15a4d8f822c689a65b235

  • SHA1

    c5c0a09a200524fe25840cf808e889c0dadfd895

  • SHA256

    d7587071279ebaca1fe3fc2866c62947fe6c8df9862d1c434a99b4a5fb47a611

  • SHA512

    3fae70edc6d6c0549bda179db003c8373945eb123a3274b7012e5dabed2b100f8c72a2070b6a557e2c83df3c073316ac7f70b5b56576cf80b031f3432e753e2a

  • SSDEEP

    196608:bQX6gQWd2kT7bHIKc5J1EYASM8dedEBIk/:MXQWd7PbHIN5nEY/euN/

Score
10/10
rhadamanthyspersistencestealer

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://curlhub.monster/newdrop.bs64

Targets

    • Target

      authz/FXSST.dll

    • Size

      840KB

    • MD5

      28d46d9a6aaa6d9431599a2c8a0e2a50

    • SHA1

      b4f109ae11a4d8f76c9306c316bac8041106512f

    • SHA256

      e511ea66c9354a5bd43aacb4e8d351ff93fdbc2df759e3ea485ccce59a0674a4

    • SHA512

      4e57265923d59f9d6406b12a9ace9c7721389790bcc9f877648e8fbce5ba76c5eb83256a5bc20e2d1ac8c4a7a9781fcb995c65231fd0bb5c0ea1177b40fcd8eb

    • SSDEEP

      6144:VyMierB3QHbjcSbcY+CaQdaFOY4iGFYtRdzzoyYxJA:VHJ3mbz+xt4vFeF

    Score
    1/10
    behavioral1

    • Target

      authz/authz.dll

    • Size

      290KB

    • MD5

      46f0f84a467bce90e26670fdfec2941a

    • SHA1

      bd6eef548f667055aad520c8a23f4553acf4a80c

    • SHA256

      b037e72db53830f5e4c1cacdc7251be7bdf782708654c85d29c2591556849253

    • SHA512

      f9fb7cbb0e1616d254f0c31558b7dc9728943f177b20ba39b4970e763fc820260ce0f54044097efc746911f8bd06c16e7aa31dffbb213e42596a0b95f7782a89

    • SSDEEP

      6144:lq7COSnzyAJhVlD1qAngWvnzkSmNeyqyKmojhE8K2X27:lsCrOs5gkWeX9pK2X2

    Score
    1/10
    behavioral2

    • Target

      authz/clbcatq.dll

    • Size

      687KB

    • MD5

      11e3e29889e482d0fadf34d59f9e0e20

    • SHA1

      24c648ba7ca51d0839f3fa73f8ca50c2f20536ba

    • SHA256

      b736988949aa6c5e1254015ca9b8d7126c12f08ba38c83d7218c66951d84718b

    • SHA512

      45ab7a367c93f8f4ebcced243ddf0da83021a1eb981f5d37c80f949fe7e8100f4824ab01c13e48af7e32efa949bd612910524f3fc22cdd22ff110b54b73a1360

    • SSDEEP

      12288:0qx/+ARNLC87DeJnFhIidPfv2vi8yUbytiH8YheMdhd+Rfj:0qY8vufZdPfvqi8yUefMdhd+Rb

    Score
    7/10
    persistence
    behavioral3

    • Target

      authz/dcntel.dll

    • Size

      768KB

    • MD5

      34a0c0ceee88cc435a273253cac4ec07

    • SHA1

      bf66c56aecbf52d26435ae2c85129a909dc6a8a7

    • SHA256

      86eabe6da51fcf15428fd945492e27075721e3d857c987fe1a830a0f6f7dd4c6

    • SHA512

      2f5d69938cfedcf5b3c5edabf181f3cdb9525e1604ec5ed262407217ad8c18dcd6e649d5ade95c9535809527a5a0c83de6f2cf9859b4dbb7047d2e86d502e1e9

    • SSDEEP

      24576:LHo2SKj92XYJWOKMs8cPbM1TjRQX1cs2vbF:Lr3yM1s2vbF

    Score
    1/10
    behavioral4

    • Target

      mf/Licenses/OEM/Professional/license.rtf

    • Size

      136KB

    • MD5

      b54db654ed9c76002b56793368baa54e

    • SHA1

      d898d7a1ff1e617a4f4958e58eb2a8a6c5a4bf84

    • SHA256

      d7b69005eb679f71c2961225bf26e789c312596808d017a3f434eaa691fb52d1

    • SHA512

      999992aa9cb48716098be5a2fd6d6917adb9709028be7d9aa17d8678ffb1e633e926d7c9ebfd6df90bf6f6288c0b22ca3d561824a1ab5ad17a32398de1c22d98

    • SSDEEP

      1536:VQxUEaFP99sxKdT4/Y65VQo/fXkxb9ZPD3X5AWHZjZYk2q7cwE1HwMbEHh:V9EQiA0VQ7T57cCB

    Score
    1/10
    behavioral5

    • Target

      mf/Licenses/Volume/Professional/license.rtf

    • Size

      539B

    • MD5

      129ea0e2bda698ae867efe78e0958541

    • SHA1

      fb5df87a7c5474aef7d72f74b59785ed9d8c10b3

    • SHA256

      78a249b6e0f74979d2d2a230abbe5f3c9b558fcc01e61c7c09950304cf95c7c0

    • SHA512

      fa2e1c1bce1fa997456b4eecf832dbdeb9c8799e1454c91030575bab31a594d64f98882772b59b341aeb9d386ee2e06f969d3f7c7e34544c03516e9316c93f30

    Score
    1/10
    behavioral6

    • Target

      mf/Licenses/_Default/Professional/license.rtf

    • Size

      136KB

    • MD5

      b54db654ed9c76002b56793368baa54e

    • SHA1

      d898d7a1ff1e617a4f4958e58eb2a8a6c5a4bf84

    • SHA256

      d7b69005eb679f71c2961225bf26e789c312596808d017a3f434eaa691fb52d1

    • SHA512

      999992aa9cb48716098be5a2fd6d6917adb9709028be7d9aa17d8678ffb1e633e926d7c9ebfd6df90bf6f6288c0b22ca3d561824a1ab5ad17a32398de1c22d98

    • SSDEEP

      1536:VQxUEaFP99sxKdT4/Y65VQo/fXkxb9ZPD3X5AWHZjZYk2q7cwE1HwMbEHh:V9EQiA0VQ7T57cCB

    Score
    1/10
    behavioral7

    • Target

      mf/mf.dll

    • Size

      519KB

    • MD5

      7d085afc35f6ffd8e73fcabbafc46082

    • SHA1

      666f2faf653e5b5884995af5c326d1fea034826c

    • SHA256

      094e9530d63a0ef69138d360249cc4e400ceb4fa399aac3e7d32ce8ba9e4f189

    • SHA512

      ab2982291a88f196bf7a68fb115a433d5a8436eae7b84315bcd787c6ac375c899f463f36c77d7296bd40ebe8a0d8df602f61d931f676970ee73319208cda69b0

    • SSDEEP

      12288:12neQWO7Nhk0uUlF7mOErwzp13XSPZL9CM4:nOR+0+OJz3ixL9Q

    Score
    1/10
    behavioral8

    • Target

      mf/mspatchc.dll

    • Size

      82KB

    • MD5

      e08baada4c26d6e54abccab4acce5294

    • SHA1

      67ca9e4b41cca0f3096ac5506b3ab8599d789e44

    • SHA256

      f6e55c768589f6b84ab2193f9da5b76ec11b691b702363f033f51ac13e2dc5c3

    • SHA512

      0c179be7dda0d76e801390a4c0eecdbc0593d6b4a6a98c6316f54b0d6eb50dc249ffa0e24696b455313398258d043b349226f8d84b9d7865b0ccf5ef4226f5de

    • SSDEEP

      1536:jPRGJfNJl8G9UNOHYh6Iiu0MPi6umnU+1+5012YwEj7+jrSp:LRQNAG9OrPup+1+VYwyOep

    Score
    1/10
    behavioral9

    • Target

      mf/wevtsvc.dll

    • Size

      1.8MB

    • MD5

      c4a358f4350c7a30445e9d50bbd78762

    • SHA1

      3c90586049771589d70e093103624af61e4df2dc

    • SHA256

      9f50afb944f7e0a9fd7a43d0b8f8e1012c6a3b45d6918d6557cc536c334d7cb2

    • SHA512

      5865568da686660e2bc06af182e805ccc504157687540419d953a65e72c40365c16de029e143d4004f2a3b0a06ab8334091504a31bddbe865c0b2d973e922ddf

    • SSDEEP

      49152:mO+aXFf4M+kA7EOOu65nzzZxG8VkBQ9ACBjntfO:hF7OGqQ9ACBj

    Score
    1/10
    behavioral10

    • Target

      ninput/lsasrv.dll

    • Size

      1.6MB

    • MD5

      06de78f0620859f670784678d630c47e

    • SHA1

      84cae33e72bc7007066f1144a96fff1d0ff4afb7

    • SHA256

      7c9b9918ba602ae6f1fa1d4a9ea9283cc882300ae79438f555483aecbb70a28b

    • SHA512

      398ce28817a6510cb3e650e3de8fb7e2f25fb83b3cc7858c6fd7b0da037d7a53cfcc1fa439562ffa9e41ad628816ca7d6246f9b008dab576c4e22f40f9f545ed

    • SSDEEP

      24576:9k5rAFxrFhl2Xhj0pIWa44E4q0UzyZ/1XnWhIvr/ncpNUrWwsHq0:9kGX2NyIn44oQ/13WuT6CSq0

    Score
    1/10
    behavioral11

    • Target

      ninput/mlang.dll

    • Size

      244KB

    • MD5

      546b9d0886cd09f8ca59c7e0343d3f5e

    • SHA1

      7f0baf160d4678b4fad30ebbc2a8d5f3817fc2fe

    • SHA256

      f443f7f50dc020fa0943f4bd46e98789a3f8ba882f5a688fbc300f0d4b0dc1f6

    • SHA512

      e0929973741182a58fe14b10e4f5f9cf1e649c561cdcaf2b719eacbedaff43cb11f7e0b5c8a7a9ec3838eaa21781160a26bc49ee85c9fc96e015a3b6ebc41a84

    • SSDEEP

      3072:nee82LhfvG5CjLeEHa8KaCCKtz1rR81IdJ2J+0MV4ReUAee89acbcfD0eGY6234v:eCjKQBC5z1rRMM0lb5Y6X

    Score
    1/10
    behavioral12

    • Target

      ninput/ninput.dll

    • Size

      399KB

    • MD5

      d30783cc3ada334983f1a2b2a95aeb7c

    • SHA1

      153a0195bc9c1803b312b0b511a64fefe372a497

    • SHA256

      46cf16c952f0f4f5376d918b475572797afef55481dc233defe2fc3e05475723

    • SHA512

      2686065adf398b109f2bb327d4eba8bec55b17eabdbaa5001940e4d834c434f57af87e145729f1288faf941c4caad543bf5741861abe2781eb2ec5a517809295

    • SSDEEP

      6144:Bb0Kx4v8CxTTvQadcCwEOAwef1So2D8f4xO1gxML3jV9GxQyXAVjo:Nb4v8Cxwqcpjjeso2D8gxagWGxQeA

    Score
    1/10
    behavioral13

    • Target

      setup.msi

    • Size

      8.5MB

    • MD5

      86a68878633d570e195609fe33640561

    • SHA1

      5a5355a80750693493c4ff9d4184d3234ad62b73

    • SHA256

      7a5d8ef1b6de2d300a6a3118426562e881577c85ab2d919f0337e4de0e9aaa92

    • SHA512

      502f996aff0273aecd4256bd25b3bcd2187a2b44c1b26c0b64a622ae2d788328d8f8e9bbd8fa9119a0edb282d1737f8f502ecf69484a70b14fd287442630c1a9

    • SSDEEP

      196608:zN7EYGIfVlhQ+gtODuwjWT6mPLJo/QkPM27rMr:z+3IfVlhQ+glwY6AW/h37rM

    Score
    10/10
    rhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral14

MITRE ATT&CK Enterprise v15

Tasks