General
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
Sample
240611-b9q8hszbqh
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
Static task
static1
Behavioral task
behavioral1
Sample
Dexis Setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Dexis Setup.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
stealc
dex9
http://45.132.105.157
-
url_path
/eb155c7506e03ca9.php
Targets
-
-
Target
Dexis Setup.exe
-
Size
64.6MB
-
MD5
168e953440d699dc30a39402b4f6e625
-
SHA1
66efd121a3fdd79b3443f1204fc3a8a8e8d76d12
-
SHA256
c0d694f24002c77382adfeaa0f3b9c28d93e2c07d761ccaa5fc9644389031c39
-
SHA512
0dd0edd1b6cb1e1a5c0c39975dc11a2b85c2cdc3b1f0e476b1d867d2519f37e07fb3aec6e0ab4ea2b6370281434541aa010cfa21a07543ca00edfb47dbbbc7d2
-
SSDEEP
1572864:sQsJjyxAAJXIUEqFGX6xJU2ii8FStoKNSKqh4DFC2EPc4iUb/++O2g9mju:sQ+jyZLEqFC602h86Dc2EE4Fe9mS
-
Detects HijackLoader (aka IDAT Loader)
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-