rhadamanthys | 097ca57103fe0a953b99bf318747361692ed34524830aab143879060d6e2fb1d | Triage

Sharing

General

Target

archive.zip
Size

22.0MB
Sample

240710-zy4lgazerl
MD5

473d8bc03e663cd000c20e5e2975750b
SHA1

2535669f5e83091e1fce5273ada039d90d240cf7
SHA256

097ca57103fe0a953b99bf318747361692ed34524830aab143879060d6e2fb1d
SHA512

c16a0fcf09f1112a188eaed9e1b49ba10d279e3306cd99b65b60b7f1a70f37fad653211c9568a80f0e2d94b431f85e9176e457af534ca99d1707ed189fd010c1
SSDEEP

393216:kL530HuXSB7ZLPJYJrUK4OKPtKiIK5LKaxKhHK2VKaiKdWKn9KIYKf66jCx6LOoF:kXSB7ZlYrUK4OKPtKiIK5LKaxKhHK2Vt

Score

10^/10

rhadamanthys evasion spyware stealer

Malware Config

Targets

- Target
  
  archive/setup.exe
- Size
  
  792.5MB
- MD5
  
  0f4e82710cf21a3c36a72f3d5378c32a
- SHA1
  
  6c64e4c47eaf6a74263babaf7add0c1b79e32526
- SHA256
  
  b0212959666982690085eeaa577fbd02d9bbb2a6ae6851a8082deb03001af485
- SHA512
  
  5a521e5a25d2d5861fff0682e81588e8e23348aa80374c3182618c9d85e570fcd8e262441be174a6584fd6504d191439a6174de3268905d658410497e50483aa
- SSDEEP
  
  98304:2joPBEfPICvGozzDssWvOrwfSDM+Hh8gmeFitvuGzbtLxZ:OoqACjPQsWvO8fSDJmcitvuGVL
Score

10^/10

evasion rhadamanthys spyware stealer
- Modifies firewall policy service
  evasion
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2 behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Privilege Escalation

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Disable or Modify System Firewall

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Unsecured Credentials

Credentials In Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Web Service

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

rhadamanthysevasionspywarestealer

behavioral3