rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

ApexSquirel.7z
Size

7.2MB
Sample

240521-sbe62ahg39
MD5

2fd0ef91edf7d461f1a8a3b56fdab5da
SHA1

7943c5153d23506a2d1212d5b2f822badfad6f73
SHA256

f2920dee3baf22ba576bb80544ce0bd73d43565d7711cfe9326fbcc251ddc4cd
SHA512

587eb7593c18875da9e80128c753f3f288c75ed542cacbd4edcb28b5d09fa1f5ccf928a67dc417baf5d9716d7f1f0724d962fdbaf65d8dbe06173e42a8483ccc
SSDEEP

196608:z6coHfuqzAxVIe0HR2/Izt6BjW2qiKJHNS4d:NSfuqzAxVx0HR2/EAyH8I

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/pancek61111111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/j46j746/hg56h56h56h/raw/7db2d3da302e81e3311c7814241af0d59152a170/pan.rar

Targets

- Target
  
  ApexSquirel/ApexSquirel.exe
- Size
  
  7KB
- MD5
  
  eee2a79d3170f463e9697ddb8b97d41e
- SHA1
  
  818c82b1743c91f423c92742b54355b2058ff417
- SHA256
  
  a4569f2cabda528425ec397aef16d6f8fc15ca94664f6f98d738d0b3dc570b41
- SHA512
  
  139b6366a088d9aaa055fae4c7853c872fe4a31dfb7dc8e3961f144db0d712342fd4e9ef6f20e5f3cbb225a4f23c3ed24e55d144f9342398e8305f54a327d5ea
- SSDEEP
  
  192:nx92qvjK3xszfzzztCbxbsIcaqcINv/DvxIcaBlNtUqKwceNdM:x91v4O5CbxbbcaqcIND6cazNt/BcebM
Score

10^/10

execution rhadamanthys stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2
- Target
  
  ApexSquirel/d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  2191e768cc2e19009dad20dc999135a3
- SHA1
  
  f49a46ba0e954e657aaed1c9019a53d194272b6a
- SHA256
  
  7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
- SHA512
  
  5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
- SSDEEP
  
  49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score

1^/10
behavioral3
- Target
  
  ApexSquirel/dxcompiler.dll
- Size
  
  20.8MB
- MD5
  
  74f676688f0ce73468828a733eef1ae2
- SHA1
  
  66fc9924eafea64c7466760cba06b471bf135532
- SHA256
  
  1638c1a8486ec32a826a1e414e92dcb8c7c7c1668d071d97ba767c6a96b53b37
- SHA512
  
  455e1847743e7d289bcbba9b72015ac85fce1444b914ad59ffd7b0209604b50c018abddf472a000d205ed7c0d80a48ded56c886b7adf153733aef7cd36ab09cb
- SSDEEP
  
  393216:5sor/VKSqhURirPtV+mW7zpfa2k4ZMmsMBGl/5:5NB84ZMmsMIl/
Score

1^/10
behavioral4 behavioral5
- Target
  
  ApexSquirel/dxil.dll
- Size
  
  1.4MB
- MD5
  
  cb72bef6ce55aa7c9e3a09bd105dca33
- SHA1
  
  d48336e1c8215ccf71a758f2ff7e5913342ea229
- SHA256
  
  47ffdbd85438891b7963408ea26151ba26ae1b303bbdab3a55f0f11056085893
- SHA512
  
  c89eebcf43196f8660eee19ca41cc60c2a00d93f4b3bf118fe7a0deccb3f831cac0db04b2f0c5590fa8d388eb1877a3706ba0d58c7a4e38507c6e64cfd6a50a0
- SSDEEP
  
  24576:LCfhbh3v3mtZDiAQeWj26k41ob2nrZ1rqpegQDJqoZtp22GkmgA9u808jQPEdkr1:LCfhbh3v3mtEAQrW41obCraeRhy9ou6r
Score

1^/10
behavioral6
- Target
  
  ApexSquirel/wallhack.dll
- Size
  
  121KB
- MD5
  
  0dea1240e52375e2cd6c6056720da5f8
- SHA1
  
  37a4a277e51727e5fb6384760c19baf207aeffba
- SHA256
  
  f22f279160e0a9979d311f4ae64b29f6cf480dbca488b9977810d5b6d770b482
- SHA512
  
  1e12e2c7c90bd75c060b073aa47e406733a7a196a2f2785c902acb968090b5b083d15280404757d06d67c43bd2e4a608fe45d9d4ebc743e861d1f28715442abf
- SSDEEP
  
  3072:KJB7frfe/i1+evBJA9CZQ1CLXAtpFrpqpqpvKINZwwcrP8cx:KJhrfe/i5pXy1CeKp
Score

1^/10
behavioral7 behavioral8

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Executes dropped EXE

Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2

behavioral3

behavioral4

behavioral5

behavioral6

behavioral7

behavioral8