General

  • Target

    setup.msi

  • Size

    25.2MB

  • Sample

    240618-p92adavbmf

  • MD5

    9e10d740b32cd15a4fb9a947f911b924

  • SHA1

    6ed60f2f79f986cbf4cc6ab1076522b9c762c272

  • SHA256

    ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a

  • SHA512

    d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08

  • SSDEEP

    393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://gotry-gotry.com/25053.bs64

Targets

    • Target

      setup.msi

    • Size

      25.2MB

    • MD5

      9e10d740b32cd15a4fb9a947f911b924

    • SHA1

      6ed60f2f79f986cbf4cc6ab1076522b9c762c272

    • SHA256

      ce35819b8e52f92738534f2b0c0d468bdade96eba64a41915618ab11c04c994a

    • SHA512

      d793f50e6a417a8c75da3a3e809c9cb2d2724d92600e994a90c4198f47937ad462d1682a5277fcb3f0d6648fee2511a2b43c96ff96e8e6a7bec4e461b6bd7a08

    • SSDEEP

      393216:o+OBUMu/xfGNU/6EiKJ5q7cPYALEUEZZ5XXMHjmPaKshz8Rk3KRrREZ78t0N:o+FMSuNCXFYHnbBXHaJ8a3wrREit0

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks