rhadamanthys | hxxp://blob[:]hxxps://web[.]telegram[.]org/37de6885-56e0-45c6-8e38-d15e8bc8fe83 | Triage

Submit
Reports

Overview

overview

Static

static

1

URLScan

urlscan

http://blob:https://...

windows10-2004-x64

Sharing

General

Target

http://blob:https://web.telegram.org/37de6885-56e0-45c6-8e38-d15e8bc8fe83
Sample

240609-l9zvrshh88

Score

10^/10

rhadamanthys execution stealer

Static task

static1

URLScan task

urlscan1

Behavioral task

behavioral1

Sample

http://blob:https://web.telegram.org/37de6885-56e0-45c6-8e38-d15e8bc8fe83

Resource

win10v2004-20240426-en

rhadamanthys execution stealer

windows10-2004-x64

21 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/FUCKOFFNIGGA/raw

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://bitbucket.org/gedegrereghh/fuckyougithub/raw/37140025d15f5d49ec2bd023f7557f06268d7c49/pancake-unpacked.rar

Targets

- Target
  
  http://blob:https://web.telegram.org/37de6885-56e0-45c6-8e38-d15e8bc8fe83
Score

10^/10

rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Legitimate hosting services abused for malware hosting/C2
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Persistence

Scheduled Task/Job

Privilege Escalation

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

urlscan1

behavioral1

rhadamanthysexecutionstealer

© 2018-2025

Terms | Privacy