rhadamanthys | e5abe1f82fd818618657b5edec67c172ce04013f7377628112757a4dceddd172 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

file.js

windows11-21h2-x64

Sharing

General

Target

file.zip
Size

25KB
Sample

240612-qed22awcnh
MD5

93a6f47d15850557072286bd50b3c00d
SHA1

2b428e32a101a947a342387c5c8afad041f3cff0
SHA256

e5abe1f82fd818618657b5edec67c172ce04013f7377628112757a4dceddd172
SHA512

64ece77d9925dba2014091007b99d1722ea9b2c8c6333bea5e799ae1b958a0b7ef2e60c1457dc6a102d2faa7b897a025d5c2ddb9da362b36b5824a68552cda47
SSDEEP

192:bbqnHZZTuTYiQ5NVbh5/VgLuB1yyqbVAHsDXK3V4+TpP6QuoATDYJkrC7xbMzIwM:kbPnHsD2P6Xr2kbos5xO8RQrk6

Score

10^/10

rhadamanthys execution stealer

Static task

static1

Behavioral task

behavioral1

Sample

file.js

Resource

win11-20240611-en

rhadamanthys execution stealer

windows11-21h2-x64

23 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://opensun.monster/25053.bs64

Targets

- Target
  
  file.zip
- Size
  
  25KB
- MD5
  
  93a6f47d15850557072286bd50b3c00d
- SHA1
  
  2b428e32a101a947a342387c5c8afad041f3cff0
- SHA256
  
  e5abe1f82fd818618657b5edec67c172ce04013f7377628112757a4dceddd172
- SHA512
  
  64ece77d9925dba2014091007b99d1722ea9b2c8c6333bea5e799ae1b958a0b7ef2e60c1457dc6a102d2faa7b897a025d5c2ddb9da362b36b5824a68552cda47
- SSDEEP
  
  192:bbqnHZZTuTYiQ5NVbh5/VgLuB1yyqbVAHsDXK3V4+TpP6QuoATDYJkrC7xbMzIwM:kbPnHsD2P6Xr2kbos5xO8RQrk6
Score

10^/10

rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

JavaScript

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysexecutionstealer

© 2018-2025

Terms | Privacy