rhadamanthys | 7fd200c3ecea601de41a954b010d215a160436a28d0fb1dfb954dee0d0eb963f | Triage

Sharing

General

Target

Eulen_ModMenu.zip
Size

1.8MB
Sample

240524-qefwmafa58
MD5

2b430fbe87e6a39b4b83decf71cefbb6
SHA1

e2699a6e5b7da0f2d055896751f119c68069bb34
SHA256

7fd200c3ecea601de41a954b010d215a160436a28d0fb1dfb954dee0d0eb963f
SHA512

7ebf04f59ef7779c8a274aa53a64e3409431f2681318238ad65332a76962380cda3655098cafba970b0be52d5327cb1db9d174b02268c56d181bbfb72fff850d
SSDEEP

49152:yDfI3cSHjRIA9pX89YhTwBJS5VJRys+SlFWSsB:yDfRybM9OJEs+SlFWS6

Score

10^/10

rhadamanthys execution stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/fb6688df07081a944ba4d480b80b21b779eefa19/lem.rar

Targets

- Target
  
  Launcher.exe
- Size
  
  7KB
- MD5
  
  b5e479d3926b22b59926050c29c4e761
- SHA1
  
  a456cc6993d12abe6c44f2d453d7ae5da2029e24
- SHA256
  
  fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
- SHA512
  
  09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
- SSDEEP
  
  192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score

10^/10

rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysexecutionstealer

behavioral2

rhadamanthysexecutionstealer