Extracted

• • Target

    95c9adc065340c8b5ea552fbc19cb35e_JaffaCakes118

  • Size

    2KB

  • MD5

    95c9adc065340c8b5ea552fbc19cb35e

  • SHA1

    a5e2155c4c5c663a5df14480387e4c127747ade7

  • SHA256

    704c32c4d78d292ce4200b0d29df3fd748f4a28a3eb40c97b14363e22e588224

  • SHA512

    0bee033210068eb1a9fa082aa97eb805c5ec25839581206ed991e1d92e4b36e33b8e6d72d5f8d0a5296fe55d5d5ea03bb7c8a915c2f0f5ee9977400c45e20f08

  Score

  10^/10

  rhadamanthysexecutionstealer

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Blocklisted process makes network request

  • Command and Scripting Interpreter: PowerShell

    Run Powershell and hide display window.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Drops file in System32 directory

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  behavioral1behavioral2