Overview

overview

10

Static

static

1

URLScan

urlscan

http://* clicnews.com

windows11-21h2-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://* clicnews.com

  • Sample

    240411-lqreaagg99

Score
10/10
rhadamanthystoxiceyeagilenetpersistenceratstealertrojan

Malware Config

Extracted

Family

toxiceye

C2

https://api.telegram.org/bot5687152406:AAFin_LYFhJGLydMgYheeUDec-2orew51aM/sendMessage?chat_id=2024893777

Targets

    • Target

      http://* clicnews.com

    Score
    10/10
    rhadamanthystoxiceyeagilenetpersistenceratstealertrojan

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • ToxicEye

      ToxicEye is a trojan written in C#.

      rattrojantoxiceye

    • Modifies Installed Components in the registry

      persistence

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks