rhadamanthys

Sharing

Copy URL

Twitter E-mail

General

Target

BloxFlipPredictor.zip
Size

12.9MB
Sample

240627-vlwymstbkl
MD5

18ca2e81648f76b449888a21493bf3f6
SHA1

8b4f2b94bf5c218092703a069ddaa531d65ab9f1
SHA256

8d7e3ee51b3228c604b607ad50508f60658f61793f802ee9236f288a17d512dd
SHA512

f37aa0c58be7efad71e2f11f0acdb04a593476bb6e3006e8868228834e5b8ba56757c9dcbf5aa0ac4a0bd50b4a481d20a52dcf9ac4dbdfe79d7f4e3942ab4e2e
SSDEEP

196608:J9knNgV0xRb6w+53cNebmivXSAmC4uymyKkjmchv9tchJoWKzD0xkLcOqKnK:Ui0r6p53cymivXckyKIm6FtcrKznImnK

Score

10^/10

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://rentry.org/lem61111111111/raw

Targets

- Target
  
  Launcher.exe
- Size
  
  7KB
- MD5
  
  b5e479d3926b22b59926050c29c4e761
- SHA1
  
  a456cc6993d12abe6c44f2d453d7ae5da2029e24
- SHA256
  
  fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
- SHA512
  
  09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
- SSDEEP
  
  192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Score

10^/10

execution rhadamanthys discovery evasion persistence stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Downloads MZ/PE file
- Stops running service(s)
  evasion execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Legitimate hosting services abused for malware hosting/C2
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  bloxflip.dll
- Size
  
  1.2MB
- MD5
  
  9e8d0c3657240a19225f0dcc5ee67e66
- SHA1
  
  ac10e50ad6893094e34ef5ad6adfa4af1693550a
- SHA256
  
  bd9710b72dab2913d92731ee96904b22a43a178664c9b7b60bd41f3c04738900
- SHA512
  
  a0a5b2ec05b8d9e997a21d8d60d793c247bc8f59ef742e01373687884813d3dd20786dde36bb6cedd2c6ac1fc11bbee049cf01fb725ec25c67590bf0f4ab3de2
- SSDEEP
  
  24576:oPws+up2wxVNNMV6QIMYExzfAqo0IfX1e:oPws+jwxbN+63fsjLIte
Score

1^/10
behavioral3 behavioral4
- Target
  
  bloxflip_x64.dll
- Size
  
  121KB
- MD5
  
  0dea1240e52375e2cd6c6056720da5f8
- SHA1
  
  37a4a277e51727e5fb6384760c19baf207aeffba
- SHA256
  
  f22f279160e0a9979d311f4ae64b29f6cf480dbca488b9977810d5b6d770b482
- SHA512
  
  1e12e2c7c90bd75c060b073aa47e406733a7a196a2f2785c902acb968090b5b083d15280404757d06d67c43bd2e4a608fe45d9d4ebc743e861d1f28715442abf
- SSDEEP
  
  3072:KJB7frfe/i1+evBJA9CZQ1CLXAtpFrpqpqpvKINZwwcrP8cx:KJhrfe/i5pXy1CeKp
Score

1^/10
behavioral5 behavioral6
- Target
  
  d3dcompiler_47.dll
- Size
  
  4.7MB
- MD5
  
  2191e768cc2e19009dad20dc999135a3
- SHA1
  
  f49a46ba0e954e657aaed1c9019a53d194272b6a
- SHA256
  
  7353f25dc5cf84d09894e3e0461cef0e56799adbc617fce37620ca67240b547d
- SHA512
  
  5adcb00162f284c16ec78016d301fc11559dd0a781ffbeff822db22efbed168b11d7e5586ea82388e9503b0c7d3740cf2a08e243877f5319202491c8a641c970
- SSDEEP
  
  49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
Score

1^/10
behavioral7
- Target
  
  dxcompiler.dll
- Size
  
  20.8MB
- MD5
  
  74f676688f0ce73468828a733eef1ae2
- SHA1
  
  66fc9924eafea64c7466760cba06b471bf135532
- SHA256
  
  1638c1a8486ec32a826a1e414e92dcb8c7c7c1668d071d97ba767c6a96b53b37
- SHA512
  
  455e1847743e7d289bcbba9b72015ac85fce1444b914ad59ffd7b0209604b50c018abddf472a000d205ed7c0d80a48ded56c886b7adf153733aef7cd36ab09cb
- SSDEEP
  
  393216:5sor/VKSqhURirPtV+mW7zpfa2k4ZMmsMBGl/5:5NB84ZMmsMIl/
Score

1^/10
behavioral8 behavioral9
- Target
  
  vk_swiftshader.dll
- Size
  
  4.9MB
- MD5
  
  183c887b6d1268d583740312d0852fea
- SHA1
  
  a33b881d863a8e8e808d6ddb906b8f8c8c348138
- SHA256
  
  2fb5bd2897fa99ca5dcf2d45830a07755d30d6d8cc3751d80be28cbd90226030
- SHA512
  
  372c1b95613b3273a374f6f025b36717b4fff9b18a30a6ab97df92c5e9b615dcada7660c12d77a19960ff63f2b9078937cc2c75ed60d3a7361e455ad150a9fda
- SSDEEP
  
  49152:ynQMZsIbvKss+W3QXTvxcz/hDDuaqoKgCkE636GOmHdKDRxVop26ArW80WHBC+4y:2QM7SQ6ufnHXYGnokh
Score

1^/10
behavioral10 behavioral11
- Target
  
  vulkan-1.dll
- Size
  
  933KB
- MD5
  
  e43b12cf3c7a21a5c50d3c7b4f88ab04
- SHA1
  
  79664cf6cfb23c3e78361f817bac1440e6c7fe41
- SHA256
  
  a73ef0a1dc0578cf64e856dc9461ba135bd742f3d5f60713e4d645e17533e9c9
- SHA512
  
  656841544adf4fac2abde64bd62bc9392e76178797e81f73a13af05f84e6f51ad83aba1320a2af17e910bc3eb35c40ef9ba386f36ebd443ac04acefc10dc0248
- SSDEEP
  
  24576:57SR7TmAl/bFPmGDsfNy6Z5WiDYsH56g3P0zAk7LZIOayz:57A/bFPmH86Z5WiDYsH56g3P0zAk7LE
Score

1^/10
behavioral12 behavioral13