rhadamanthys | ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a | Triage

Submit
Reports

Overview

overview

Static

static

1

setup.msi

windows7-x64

6

setup.msi

windows10-2004-x64

Sharing

General

Target

setup.msi
Size

25.2MB
Sample

240618-p92adavbmf
MD5

9e10d740b32cd15a4fb9a947f911b924
SHA1

6ed60f2f79f986cbf4cc6ab1076522b9c762c272
SHA256

ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
SHA512

d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
SSDEEP

393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

Score

10^/10

rhadamanthys execution persistence privilege_escalation stealer

Static task

static1

Behavioral task

behavioral1

Sample

setup.msi

Resource

win7-20240508-en

persistence privilege_escalation

windows7-x64

9 signatures

150 seconds

Behavioral task

behavioral2

Sample

setup.msi

Resource

win10v2004-20240226-en

rhadamanthys execution persistence privilege_escalation stealer

windows10-2004-x64

20 signatures

150 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://gotry-gotry.com/25053.bs64

Targets

- Target
  
  setup.msi
- Size
  
  25.2MB
- MD5
  
  9e10d740b32cd15a4fb9a947f911b924
- SHA1
  
  6ed60f2f79f986cbf4cc6ab1076522b9c762c272
- SHA256
  
  ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a
- SHA512
  
  d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08
- SSDEEP
  
  393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0
Score

10^/10

persistence privilege_escalation rhadamanthys execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

persistenceprivilege_escalation

behavioral2

rhadamanthysexecutionpersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy