rhadamanthys

General

Target

17014668520.zip
Size

921B
Sample

240506-q5xl3add9x
MD5

014ec820ba61bfd3717b0ad3af398886
SHA1

5e197424744b1cde2c084eb973597a8a0f125997
SHA256

a41ad06e4263f3d0824678a2589d0ee13f013c4b5c07cc5a05ca0085a237e1fd
SHA512

69ed4630c15c550570757b05f8940ec07d0ad67aa2b28993408a608e16799314236f7375894933c7041063327d3fcf151ceea7b272657568bb4a8042ddcdca47

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://timecheck.ug/ppx.ps1

Targets

- Target
  
  51e431b4fa084108a9524d0467a925d518659ac886be3451ffe5ec86da707f4a
- Size
  
  2KB
- MD5
  
  17dc01efda95cad71f3de00a136a6672
- SHA1
  
  7277a278d3c453adc868f5b27c2e937db3b0bf80
- SHA256
  
  51e431b4fa084108a9524d0467a925d518659ac886be3451ffe5ec86da707f4a
- SHA512
  
  33daa7f80b2e230ffd83e9211aa818679be9c0450871002ae0dc1892601592140011897173094a9e68bc9b164562f712633b9c56f5e273d636889d6923779f48
Score

10^/10

rhadamanthys zgrat execution rat stealer
- Detect ZGRat V1
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- ZGRat
  ZGRat is remote access trojan written in C#.
  rat zgrat
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Detect ZGRat V1

Suspicious use of NtCreateUserProcessOtherParentProcess

ZGRat

Blocklisted process makes network request

Command and Scripting Interpreter: PowerShell

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2