General

  • Target

    RedEngine.exe

  • Size

    74KB

  • Sample

    240405-vkchlshe5x

  • MD5

    8fb7a6bd32200aea3f517923285e39a8

  • SHA1

    dc5c1e8293cce5d82c5d7d338fb3cee57d2b997d

  • SHA256

    ccc95afa02727297eb7f6bbbe5e06d011ce4656c3b563e2841fad60d471e2f26

  • SHA512

    1445bc293350022e9302374df3915e71f3b8bd281db5a43bf67362b002896404e21a58e68963a6203d6ab04dffd5745c2ce1d2fbd650975936b327befa15e3a1

  • SSDEEP

    384:UWWFjyor85Z6coSQJ14p9FfVg6FHkosvxB2JeJhrpX5m4KbfocN4UCMfKqIOmRUG:ua5ZRo34pdsvpA1c3UzD9eXOeOiict9

Malware Config

Targets

    • Target

      RedEngine.exe

    • Size

      74KB

    • MD5

      8fb7a6bd32200aea3f517923285e39a8

    • SHA1

      dc5c1e8293cce5d82c5d7d338fb3cee57d2b997d

    • SHA256

      ccc95afa02727297eb7f6bbbe5e06d011ce4656c3b563e2841fad60d471e2f26

    • SHA512

      1445bc293350022e9302374df3915e71f3b8bd281db5a43bf67362b002896404e21a58e68963a6203d6ab04dffd5745c2ce1d2fbd650975936b327befa15e3a1

    • SSDEEP

      384:UWWFjyor85Z6coSQJ14p9FfVg6FHkosvxB2JeJhrpX5m4KbfocN4UCMfKqIOmRUG:ua5ZRo34pdsvpA1c3UzD9eXOeOiict9

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Adds Run key to start application

    • Legitimate hosting services abused for malware hosting/C2

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks