rhadamanthys | 4cfd9978e2751b8efa5fa3abfa669b1af74e721c8199c2c5681d945f9efc29af | Triage

Submit
Reports

Overview

overview

Static

static

1

sample

windows10-2004-x64

sample

windows11-21h2-x64

8

Sharing

General

Target

sample
Size

18KB
Sample

240418-wcetfabg9x
MD5

04ae4356f5a97d84c603cd91a711837c
SHA1

68609391fd55cbfe68fe64eb7a242841b060e3fd
SHA256

4cfd9978e2751b8efa5fa3abfa669b1af74e721c8199c2c5681d945f9efc29af
SHA512

d0ec5bbe2a07fab3a1f128121e9a398edcdd0898017ee4eb5e51bc4b811f49bf206b5f68ad5ded90d73c2a0509457a7dad5bfb27899dd734498529ce2d8de30c
SSDEEP

192:Hl9WSskCBuYbqxPqxKBzNBuBUt0Wjw+QQLDEpR/dZ:TWvRYaxK5HMEL8T

Score

10^/10

rhadamanthys stealc discovery spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

sample

Resource

win10v2004-20240412-en

rhadamanthys stealc discovery spyware stealer

windows10-2004-x64

24 signatures

600 seconds

Behavioral task

behavioral2

Sample

sample

Resource

win11-20240412-en

windows11-21h2-x64

16 signatures

600 seconds

Malware Config

Extracted

Family

stealc

C2

http://193.163.7.88

Attributes

url_path
/a69d09b357e06b52.php

Targets

- Target
  
  sample
- Size
  
  18KB
- MD5
  
  04ae4356f5a97d84c603cd91a711837c
- SHA1
  
  68609391fd55cbfe68fe64eb7a242841b060e3fd
- SHA256
  
  4cfd9978e2751b8efa5fa3abfa669b1af74e721c8199c2c5681d945f9efc29af
- SHA512
  
  d0ec5bbe2a07fab3a1f128121e9a398edcdd0898017ee4eb5e51bc4b811f49bf206b5f68ad5ded90d73c2a0509457a7dad5bfb27899dd734498529ce2d8de30c
- SSDEEP
  
  192:Hl9WSskCBuYbqxPqxKBzNBuBUt0Wjw+QQLDEpR/dZ:TWvRYaxK5HMEL8T
Score

10^/10

rhadamanthys stealc discovery spyware stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Stealc
  Stealc is an infostealer written in C++.
  stealer stealc
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- .NET Reactor proctector
  Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
- Executes dropped EXE
- Loads dropped DLL
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks

static1

behavioral1

rhadamanthysstealcdiscoveryspywarestealer

behavioral2

© 2018-2024

Terms | Privacy