General
-
Target
356718348bcea435440e1eff66f69846adba5bfcd54c0ef651ddc417fc4b768c
-
Size
35.2MB
-
Sample
240712-hlmnrasfml
-
MD5
9197cc137bc572fd352583a07e72f7d0
-
SHA1
a01cbc892bcc80b3bfbfd4da71c66b777f895ee5
-
SHA256
356718348bcea435440e1eff66f69846adba5bfcd54c0ef651ddc417fc4b768c
-
SHA512
d38ce9638e3318a3f53bdfa842f979706dc6386943d455fc8d857e963ce626f1c0655a1eec3e49e10311edb33e4b25afb2e8116ef5c99bc4225a13879acdca18
-
SSDEEP
786432:6HsIwWlWG/aPLI507wAfdXSqa/q49k40o84KGN9EYjodJmcZ:KNl4DI5kwAfa/qgjKEb52
Malware Config
Extracted
https://two-root.com/02074.bs64
Targets
-
-
Target
x64__setup__build_18957/Sysprep/en-US/sysprep.exe.mui
-
Size
9KB
-
MD5
a3c4e7fb74bce863d13bd8ecab167d9f
-
SHA1
a2ceffd0a5a21785d62211608dcc04840297a642
-
SHA256
cde2d677dc2813b2b28db9f000c4eb38282b3c5258f9f1a2adae8c6cd66b073d
-
SHA512
97044c92b03bcf7e9482e964310a8afa2044209d4fa25b69ea531f7b8cba24778095017c60579fdb44d92e0e2ccc0e3e1487d530adf0612d6396d2b35cbed818
-
SSDEEP
192:FhoxuIyF48mMUqEV6EDEG3hEr9J3aZWh4m7x2WtcW3:ENO45vyYch1QWtcW3
Score1/10 -
-
-
Target
x64__setup__build_18957/Sysprep/sysprep.exe
-
Size
1.3MB
-
MD5
6bd9aecd5d43133e4046dd6ee22611d3
-
SHA1
e7f75f7ee4a6359cefc20f3ef5662119cbd5ef2a
-
SHA256
c723d7dcb559386d16be57498185fcf17ff8f68ff952f4add84cef6ecb58d672
-
SHA512
b208d3348f65d2c696973874f78e9a700ea036b5a764dba2d44067876c6def251f5ae410840c8548962ce6c17c8cb2a60a5fdfffc5d3bb6f1d4284ef32fed62a
-
SSDEEP
12288:+e62N1AcIjxMCN8/Uq54/t4KAWoiQ6Ppa+syKYnk3:+uNqqCe/f5u2fj6PuynnY
Score1/10 -
-
-
Target
x64__setup__build_18957/fmapi/SEMgrPS.dll
-
Size
40KB
-
MD5
76e12d39f82567db28b132e245d9e3ce
-
SHA1
53cbd54614b8e21e78096d32ddebf0771b359c37
-
SHA256
5edd09d2a2e2e03ac2fa7db4c7b9f4ee300c696534788dbedaf9cee617a97ab1
-
SHA512
62de3ef3caf4997e0f1b02f5805a5da757c7506dcf5e6f93ed9870b6a53858dd24f588700dc2e6cd1d524291fb0fe1968169a52c53e9253244f7ebd633b89f4a
-
SSDEEP
384:tASguFmJEqu2MZ3RDil1jt9exCUF9n10jaTANQ+1Lxdprb4Y75WRkWmmca9pa:KK9JbyFUF910GANQ+1pgYg
Score1/10 -
-
-
Target
x64__setup__build_18957/fmapi/fmapi.dll
-
Size
73KB
-
MD5
cd7f7d5bff3559fde6fcd68b5f29d0a7
-
SHA1
54daaa8d71c723b96a658d07b804f305204ac57b
-
SHA256
cd375aeab416e68c62ed19bc2f2c5e59725ce3be1f92f2daaea0c8298917d4ed
-
SHA512
9916fc444f6d9bb50f470ed2d2288518a984b8a908293afd52e9a15c39f00dc2cce9663abcbbc940303c49c68d33a5a7b0d13636956f468b2863f39737b8cf0f
-
SSDEEP
1536:RkMyR7TMzLXqUoyNegAjFlgk5zXXceHJ:RLyRngLaQUR55TZJ
Score1/10 -
-
-
Target
x64__setup__build_18957/fmapi/sppnp.dll
-
Size
269KB
-
MD5
ce2827a201e3df7986f1db198081c1c1
-
SHA1
c4f9077fc98e5d70545daef31007a9dd9b589f32
-
SHA256
207816a107793a554f18e480b59de9b5f98b0bbd54a7e81ecf666e538e0e363b
-
SHA512
8aee1936800ff447deb172c6110dbb6593cba3cbbf5f6185049af250602bb50e4c20029e7fed033c574717065bd924272b30516e57422b5094b1b3d8445db151
-
SSDEEP
3072:OAiWbUe6ZATojLurmI6hUsRuG79fMj5k9kVZ4UQebrPA48dLrJGyCM7X8AuSVcVq:3YVGmI67945V2ebrPA48dLrbBcIzh
Score4/10 -
-
-
Target
x64__setup__build_18957/fmapi/tzautoupdate.dll
-
Size
180KB
-
MD5
51cf16070f442daede8d61dcb7ffe87a
-
SHA1
7bbf4fb5bbca2c83b53bf0274b01204ab488a576
-
SHA256
2a352c7ca6d2c3794311cc404514877979f5b896c66edbffafe876689acb7d02
-
SHA512
700261819d78b3ceb3105e636d1fcb812502168c40c41f4975abb6ccd8452aa5e76a5f9b6f579a730e79332c64a99cf67ac27e4390cdbc73da19891c700a8b85
-
SSDEEP
3072:IewznZCOUogbNMQF7PF3PlW3THAC6i+ZD4uZcgK2FHTMkkK:IvznZojb7F7PF3NWDHACTDUcaFzvk
Score1/10 -
-
-
Target
x64__setup__build_18957/hal/KBDKOR.DLL
-
Size
15KB
-
MD5
dc5c272b83b4d9769c87a50ffe662130
-
SHA1
c79491aaddaf3239b43628e3d3b94baa18caf5df
-
SHA256
9d73451eed80c7cff7d4a4f796fdc58cf0badc31925b97fd8bf9f27e1e52e173
-
SHA512
c79bbe9e14e126f827c8ca7250d20e79590cdf587608fe91507da51de0475b83e576271a16ed941ad6091c6d387547d30fb233a7d44b4bc52105b2f6a6a4bdf0
-
SSDEEP
192:38uFvmPZMzmQPYumuenzk3pBQNL4nPZGQUWAaW4O:MPZ4meYuFezEpBQenhGWAaW4O
Score1/10 -
-
-
Target
x64__setup__build_18957/hal/duser.dll
-
Size
575KB
-
MD5
0de31834191b9524a69f8b8aad655b3b
-
SHA1
ffc55693372b60b587ea9298b20629e2bc2906db
-
SHA256
c7be8a83ef861073c9f9e510a579d42cfae6dd04a92bdd98273e0c8a99a413cc
-
SHA512
ff0cd8d7782714f098536bf82eb3a27e62cc4ea9d5faf9f35e0f19858001c04d0f2ec0c0093dff3b6694fec4452230ca1ab59c2dae317e67ddf15505a967d240
-
SSDEEP
6144:E7i0j5jXCDZfjDFdCEmpY3y8upRrSq5ID8XdEELnFluG22G+sM4O1l6lAJHyPvN:DtrDFCY3y8u+LAXB7FluGRKCYd
Score1/10 -
-
-
Target
x64__setup__build_18957/hal/fontext.dll
-
Size
966KB
-
MD5
280699e5c068ef4aa58d9c6b211cf8a7
-
SHA1
fabe1e84a6e8de4b1c49f1fd304baf23f20d26a3
-
SHA256
4a2de5e3428d80783d1651ec0c8fe29557e421c93aa0009c99a5c6c4abc907d4
-
SHA512
dd5ceadd707fd6a8a94de01a03ed235387cf24e1bf1fd22dca04263e56207bbe1e8bf2510dd40f8d460fa6a524910eb718bf898d7ad92f6c7523fa622a23e031
-
SSDEEP
12288:ZJ8p80yvsuv2A6/N8c3S/sa9j/wHXuvYdSnEGzuMnEP0Afd:BTouc3Stjgu4/GzuMnEPz
Score1/10 -
-
-
Target
x64__setup__build_18957/hal/hal.dll
-
Size
17KB
-
MD5
01fd720f78d7d72e19ca732a909ae005
-
SHA1
e542847f226190042cfda60dd8be6266d5e5d4a4
-
SHA256
9c32cef8fb1d4eb0fcec864617b850594eeeac2fe0163de77aa2f947fba4f3be
-
SHA512
dada83d0ca3f90d5c1e8facdf8141b7098be241efe2800ae51826c7445cf3c6801f751e9f500400af50a672643439975e85ffac0f9f2f2ed56a3f4729361e959
-
SSDEEP
384:MkqP8+N5nC+k6yIwws9sCQZWu7kWXddhMDBRJM1x85zR9zF6Nn:qi+aITsGFTdhM1PM109z2n
Score1/10 -
-
-
Target
x64__setup__build_18957/msvcp140/PeopleAPIs.dll
-
Size
118KB
-
MD5
0d641a44b3976e97944259f97c340caa
-
SHA1
4c077e6749f19fe80fe2d97839b823395d876023
-
SHA256
cbc0e6262b52b82c8f789912a0ca2bfac26d83279121cf1173e05272af8ad803
-
SHA512
ee29a08e7c2583187807c9d6ecb3404be86f24380ccd56d75d8ba358540de2e1d4e50775f0fc1a653440ee346c47711135c22a433cfc56bfa73d6dadf7ee5b17
-
SSDEEP
3072:ahF8Wkwpx9URc4FbQPddTBa/o0h8hwkBPNX6J40lbazf+TVD+lgVCTl5:eKWkwpx9URcgbQH8kTl
Score1/10 -
-
-
Target
x64__setup__build_18957/msvcp140/msvcp140.dll
-
Size
554KB
-
MD5
53a6dd2062e438cfdfc3327cd48e9a43
-
SHA1
02f7cb32c424d06fab1937ce0203952fe0f558e6
-
SHA256
9b783a58b3e1cd9976169f3ca9329f868b7980966d34a84274c2208a64f8b6fb
-
SHA512
d24d58d940e7b77bdd36dfc1b601eed9355f9d9560152196754dbb9c1ce3276646003b23af34274b971b87c39da1681f3b1e6f81721b81c68441a12895cb9825
-
SSDEEP
12288:D0+cOjCI4JxkdGwm9b39KJ7TgQSToGet+VfTxZ5HU/Z8y8RQEKZm+jWodEEV8q:A+cJjxzH68RQEKZm+jWodEEuq
Score1/10 -
-
-
Target
x64__setup__build_18957/msvcp140/ngccredprov.dll
-
Size
664KB
-
MD5
1a253557334204253f4a20a93eb184cb
-
SHA1
0b6462c2fa6b68f1da59870f3d4fdaef721d18e3
-
SHA256
99b0ec136f91c61af0e6fc357b08cdb6d6182ddf2e2e12d933e3ce6d5e333422
-
SHA512
dbfb25cc8a2252fde6434d816e256b7a0431236e1e8556bbc75c6e3241989d13a6426d8811ffdebe4b0e601354a2c7cb6825c7d5c02b11d38ce7692ceb870581
-
SSDEEP
6144:CJnJp6mOysk+NFNnBzMyLC1oCuEgWVxOLpxPHX1vDGXxKjHOBOG0O0/vSuQi8hTw:CJ+x++NNzMD3lrbOLLlvqXxmuBOr
Score1/10 -
-
-
Target
x64__setup__build_18957/msvcp140/provdatastore.dll
-
Size
97KB
-
MD5
73a9db35423ec62f017158089f9b676d
-
SHA1
e8c7ea91c0a33db3931ba8933854ae73d19e00e8
-
SHA256
8985aaef15357e165fb411a62e2a4bd9d5628c71767f81ecabfd1f0ce0ca68aa
-
SHA512
3aacf8ac37c477e9cfd9610862572e4a6b2d7cd2da3e90823bf71698c603b4c9125f828b4beeea7174799dba9398e1bf6105b556b6a286e70ba6b05b322a860b
-
SSDEEP
3072:Z4yfY6zIX+6ACkc4P37YfV2Ciq1KS+6XquIMqNrH:Z4yfY6zIOtYfV2xq0J6XLIMG
Score1/10 -
-
-
Target
x64__setup__build_18957/setup.msi
-
Size
34.8MB
-
MD5
92e08e754cfaf2b872bd52f9c1491c24
-
SHA1
a0447c63b8b5d0b85fce76390820a5ea78b0e8c7
-
SHA256
8735b260af2dd098418563efcc05d006f22239ba04108de94dbabc638dfd338f
-
SHA512
3f2f7466e87020bef1137c219fff109cca44adbfda4a05aa2caba6ef9dc9be53a5b6cdd7c9738b32a43e45fd6b3f99fa814cecbfd2180877da5c7800631d9629
-
SSDEEP
786432:BqTRkI57hVSZmlNdonqUuhGMCiEIS/vTis1MDN:Bq1T57jSZmGnqUezSTt
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell and hide display window.
-
Blocklisted process makes network request
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
Suspicious use of SetThreadContext
-
-
-
Target
x64__setup__build_18957/spoolss/MSAMRNBSource.dll
-
Size
99KB
-
MD5
21dd8585802c8ddefdbf95c7b4f9700e
-
SHA1
77e1a4c1b65edcef679571660a4bfb7a2b029c5b
-
SHA256
b050cb2685e2da30d72b9bf837754fb07a83566ae97b78f8998cce31356508f4
-
SHA512
64553196c07110c1c86fdda822393f40fc661e2424fca2f74819e4c845b8b7bf19683b3267adbef69847592095725d341cc0f5ce0988e98274320d4bbe39e9b9
-
SSDEEP
3072:fmcVDKNEHbW/VGDblNRfiQnaN0ept2cL+8vkRnrHmA:sebWAtNRfiQnaN0ept2eh8rH
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
x64__setup__build_18957/spoolss/ReportingCSP.dll
-
Size
120KB
-
MD5
505dcdac9a54975aa65fedb50a49712b
-
SHA1
761caa6af32caa1138355e9271d8fa95aabbc6f8
-
SHA256
7c46620ba1785adb6450b41e648a231eaf47d50c6dc56109b5d37b9537c39778
-
SHA512
6d940cd5d57b5347fc35d9c31e2f2505d23958177afc85128e088b3df28d550828a3ec8fd3176126c2ecd956238e4357f8bdc0827044911a2cbcd277de974bcc
-
SSDEEP
3072:Xjn1O9nfVQgFM9LkFS7umnsQ6gnjQp+LLLLL0jbYqEuv:Xr1O9f1FM9LlymnsQ6o04LLLLL0jbYqv
Score1/10 -
-
-
Target
x64__setup__build_18957/spoolss/spoolss.dll
-
Size
99KB
-
MD5
97ea00e1b73e6b8b3b4d045dd4b22334
-
SHA1
53f90c2a04a58977a419b27c786e2a5ce5089996
-
SHA256
c0a42b03016f5090bdc7d7f70ff9d9ea2082a4fca8f45f778265db6020d81a75
-
SHA512
81cc01c22db282dc5cb8e3a07ada7d0cb76d13c64ef72c5239dfd3ef4ef468e3f3a086bb3cf33eca5d32c10d5c4bd2cd38ab71d78d57e43a8d256ab78605f24e
-
SSDEEP
3072:UMlUeXQ08yVjDA99DVoJv0ma+CNk3poDr:UMlZXQ01VjDAHDVoJv0ma+l3po
Score1/10 -
-
-
Target
x64__setup__build_18957/spoolss/stobject.dll
-
Size
306KB
-
MD5
eb37729b447c90fc81df94bcfde7097c
-
SHA1
8a08b217bab182c31786d23e72ef7f700c1a2234
-
SHA256
b4bb94723589d24ae446ee2d259f810928a4c58ce4c95c3d84ed27ea651114df
-
SHA512
6c9b09a2422434d9d990ba8811d27fda09b7016c8ee969237c65668739b72fb5b9dc7fe428d4367a1de83691805c0c4edc2f6d29f8ced00f4180b07bcaf3c38f
-
SSDEEP
6144:129//6rq2sw6gPrUZ0eFfv3RBjD+MiFl:Frq2swxiV3RBTc
Score1/10 -
-
-
Target
x64__setup__build_18957/sysmain/devobj.dll
-
Size
162KB
-
MD5
e0321ef29b88da13c5d0fd6335b6090c
-
SHA1
0140ce9dfff126cf48bef067ee6192b868a95311
-
SHA256
aea1e23dbb84a4eb5f7d1a3cebbbe13f6cf8a0115033687d7c6dfdff19eda80d
-
SHA512
10b6f153256227cfa6cfe8cf7df5a905a18adb0e10c0f3408f20f237a30849058ce218f88e009dc74e85e9734c54422ae11ff7d9cc97b8de674db661010a498f
-
SSDEEP
3072:XcgAKKoIDocNLn2D8RlsDC2xi2T0w3y6re/+81/K/BNar:XcZovcZn2oRlsDzD5y61w9
Score1/10 -
-
-
Target
x64__setup__build_18957/sysmain/eapphost.dll
-
Size
344KB
-
MD5
d6aa5f430ced4d98cca2f4c0e6d63a5d
-
SHA1
427908bf4f21709bd1c9324db6d050ae5499a073
-
SHA256
478fe0b778f0d643664e57bca4a25c92959c557921b390d1de5b4dd497a5d642
-
SHA512
5d832ae9c59fbed5d9f8d748f045602b3f342fb436a501e98cf6122bb99a8ce93565c7f30e525ef7c3d99d8db00997ce4fb95a462279a812d490ae711b988a59
-
SSDEEP
6144:gJvNJQSmoT6iSSMO2+aUC6RuSwzSB4cV5jItQhdFcY2+YbDy:QvNJQVoiO2DUC6cSwzOZvs2/6+Y6
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
x64__setup__build_18957/sysmain/shacct.dll
-
Size
142KB
-
MD5
ea57daabed46f3695f2ae2771ce03ddd
-
SHA1
fecd4ba466a08741518c4bc3e50822ed60f4db44
-
SHA256
9d4e44b85e7b39ae69cf85c877dc50fb1f4b336eaed304ddf93c03bc46c02c64
-
SHA512
83a78130b496f14961a19c9f44159d697a7571a4462757a7ed2b0649e207c388b27ac534b9bb0361318de0aad3ba54f67ebe442d0964669dc6ec03fbe30e5d10
-
SSDEEP
3072:oxECadGNNfjUenR3pZn7oArjkf2Zw+e1d:oxDadC7vZnkf2Zw
Score1/10 -
-
-
Target
x64__setup__build_18957/sysmain/sysmain.dll
-
Size
982KB
-
MD5
6c608c28f3469a3fbb1fc762945aed44
-
SHA1
250e0a04f55b8bcf10b18bd343fc2fe648f8e6b8
-
SHA256
07f5694d440b9807db933e7091bc002c395b99f01a4423316118f1a860b60c1e
-
SHA512
11af42558f371a7a98b92f32eb441de6f7afa53b294494c7ad6e4c65f84594427da2d1c60b55bec084e8d097f597fba9e12711b9b01d48388d5143be028c5c23
-
SSDEEP
24576:gufcVZxYDn1sanpd1fwUFMPsisHvoIgbRGd:8s71smFfwUqPsHeG
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1