rhadamanthys

General

Target

LoaderV4.4.zip
Size

15.6MB
Sample

240717-zszqbsyepk
MD5

a74803eb00543ff67aa80c08d99bf541
SHA1

ec3edafd0434e744779a5d47dc905ea63c4dab79
SHA256

eeed7afd78dddae6f6c222b955fa1ca656b48fa2e04f87db11092dc87d2c86ee
SHA512

9d92a3c71ab8b48f91db5cd0d05e4b171b7d00451916b808eb3a6d381fa0eb98fa38aac9b19042a5910801051af4dadddd10510da5a3fe657aae7f12207e3aa4
SSDEEP

393216:WvidJWySZDG3y3gk4AZe5L4uXoX0jFtN28f968or:WaQyEDGi3gkRe5LRX8gG

Score

10^/10

Malware Config

Targets

- Target
  
  LoaderV4.4/PhysxExt.dll
- Size
  
  2.9MB
- MD5
  
  6ff985653d41e8d60bb1293f01729adf
- SHA1
  
  1ae3086a16a91ea45c06d34071d8b3b87e058804
- SHA256
  
  224ba9fe747ed7266a392961586db8a716553b85760fe3083e6d345034868d8f
- SHA512
  
  fd47a81000dcd98adc03d1f45a172c19b2e8aa3c8f13338bda0b00407f7b81b52e0fa9be3f9ef87fb1303231225e83b9dd8c39a0777ee56ccd54abc52d095b87
- SSDEEP
  
  24576:fZJJSVBjkvvhwVxKKpQgRQ8sUOwDUsHeHfcKtaPRO/o5o4Z/5rLyv+Fe:xJegvvhTKTRcPDqho4F5rLyW4
Score

10^/10

rhadamanthys discovery execution persistence privilege_escalation stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  LoaderV4.4/project.exe
- Size
  
  52.5MB
- MD5
  
  3eb6376c717a6b35a03f3a4e2b6fcd63
- SHA1
  
  a67ea170cadaca17909b5ec073bb67b78021ad93
- SHA256
  
  898e84ed69196f047092951b2b7597dfa082cc598d1e34dc0ac63f1199164042
- SHA512
  
  ffc115a0b247d1b6ca67954fbaef10927b8e061f734ede28559e73e89c4bebafac4bab418c01af0a3d01de7ca0921fc2e810c2481ede181fb5172ca97550b852
- SSDEEP
  
  393216:rD25/dZfUTy8uwiqQEj0+86X9mDwrps7p+5:rD2NdNUu8uaQ6XWg5
Score

8^/10

discovery evasion persistence privilege_escalation trojan
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
behavioral3 behavioral4