rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

Osu.7z
Size

3.7MB
Sample

240521-r6948ahf9t
MD5

925d19382afe84113af3255a66d024d8
SHA1

dae8a69db43980e2335503a4a0a7d30576bed181
SHA256

9d0eef3560fd3b6f9207a21206c4f4337b07bff2cf082869c87bdc1ddd6d2e89
SHA512

1a6cf9bdc5666a4a9b0b4e4fc9d46eaecabf572a757fa9abb4faf24413abde504fef829660a0dd3a6681ab6c28f9032875c3c22a653f66939412ed853175ca45
SSDEEP

98304:00xdEVRkgh/ZxjuutKhnM5IYpu99zvp8sPhy//oSuks:00fq/mhnMqYp6B8sJ4Ts

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/j46j746/hg56h56h56h/raw/7db2d3da302e81e3311c7814241af0d59152a170/pan.rar

Targets

- Target
  
  Osu.7z
- Size
  
  3.7MB
- MD5
  
  925d19382afe84113af3255a66d024d8
- SHA1
  
  dae8a69db43980e2335503a4a0a7d30576bed181
- SHA256
  
  9d0eef3560fd3b6f9207a21206c4f4337b07bff2cf082869c87bdc1ddd6d2e89
- SHA512
  
  1a6cf9bdc5666a4a9b0b4e4fc9d46eaecabf572a757fa9abb4faf24413abde504fef829660a0dd3a6681ab6c28f9032875c3c22a653f66939412ed853175ca45
- SSDEEP
  
  98304:00xdEVRkgh/ZxjuutKhnM5IYpu99zvp8sPhy//oSuks:00fq/mhnMqYp6B8sJ4Ts
Score

3^/10
behavioral1 behavioral2
- Target
  
  Osu/Launcher.exe
- Size
  
  7KB
- MD5
  
  eee2a79d3170f463e9697ddb8b97d41e
- SHA1
  
  818c82b1743c91f423c92742b54355b2058ff417
- SHA256
  
  a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
- SHA512
  
  139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
- SSDEEP
  
  192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM
Score

10^/10

execution rhadamanthys stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral3 behavioral4
- Target
  
  Osu/optimization_guide_internal.dll
- Size
  
  8.2MB
- MD5
  
  9e50f4a2f8d4785401009acd9e44cc50
- SHA1
  
  91351d9519920388fcbd5854fc4abf86757547d4
- SHA256
  
  545de3597fef20c3ac15e728a4fa687f90978d756311f248421f43018c44e900
- SHA512
  
  03f5dbea2a96f34c726c4273414af4e5f8c08d509f38c8ee9fb8f7086de6a0c63de8ab535d9ee1f29ba5e9b1b233c59a2314e3c99685dbf76c28b11add00ad58
- SSDEEP
  
  98304:QNG+KOsOUrthQ218cyj8Zb9TcJ/uSAD/EeA70s/ceqZqLSRU:1+IOUUk0899AJ/unEvrl
Score

1^/10
behavioral5 behavioral6
- Target
  
  Osu/vk_swiftshader.dll
- Size
  
  4.9MB
- MD5
  
  183c887b6d1268d583740312d0852fea
- SHA1
  
  a33b881d863a8e8e808d6ddb906b8f8c8c348138
- SHA256
  
  2fb5bd2897fa99ca5dcf2d45830a07755d30d6d8cc3751d80be28cbd90226030
- SHA512
  
  372c1b95613b3273a374f6f025b36717b4fff9b18a30a6ab97df92c5e9b615dcada7660c12d77a19960ff63f2b9078937cc2c75ed60d3a7361e455ad150a9fda
- SSDEEP
  
  49152:ynQMZsIbvKss+W3QXTvxcz/hDDuaqoKgCkE636GOmHdKDRxVop26ArW80WHBC+4y:2QM7SQ6ufnHXYGnokh
Score

1^/10
behavioral7 behavioral8
- Target
  
  Osu/vulkan-1.dll
- Size
  
  933KB
- MD5
  
  e43b12cf3c7a21a5c50d3c7b4f88ab04
- SHA1
  
  79664cf6cfb23c3e78361f817bac1440e6c7fe41
- SHA256
  
  a73ef0a1dc0578cf64e856dc9461ba135bd742f3d5f60713e4d645e17533e9c9
- SHA512
  
  656841544adf4fac2abde64bd62bc9392e76178797e81f73a13af05f84e6f51ad83aba1320a2af17e910bc3eb35c40ef9ba386f36ebd443ac04acefc10dc0248
- SSDEEP
  
  24576:57SR7TmAl/bFPmGDsfNy6Z5WiDYsH56g3P0zAk7LZIOayz:57A/bFPmH86Z5WiDYsH56g3P0zAk7LE
Score

1^/10
behavioral10 behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8

behavioral9

behavioral10