rhadamanthys

General

Target

LoaderV6.zip
Size

15.2MB
Sample

240721-rbmensvfjm
MD5

273e74c7c8e4fefcafca7ab2c634fef7
SHA1

9a01e91e93cef5c77de8c70b8ae80da15a540fff
SHA256

18b7e51b0f80744208e78cdbdc707e5b8467991af8bdea3c47f3ee25ad864277
SHA512

d3f788e51d165b72ebf9c46a3463dd594df308bc199a8f70db25945450ab0c5da3cb1aeffeb6cf9f46f323150bd4d5d660fefd054fed956a5b491dd21e228277
SSDEEP

393216:wjdAJ/kHfMO2/w1kBY8l5aFEYF/pAYfxXaI+vQkXLLcDlE610Cgr:wjKsHfMO2/wBFFF/pAYfR0vQk8DlN0Nr

Score

10^/10

Malware Config

Targets

- Target
  
  LoaderV6/Additions/wmpnetwk.dll
- Size
  
  32KB
- MD5
  
  8cd455334b6cdd06beeeb898e1e83052
- SHA1
  
  e104ab973744bac982efa50f055a5a45daed2aee
- SHA256
  
  5270f60d90a15ce9d728c328495fb714daa1267a7363a70225badfa252a38ad0
- SHA512
  
  922f329f32d935946490cb7ff409689f2c2610fd09efe7e9e095a6e10aee838dde585aa6cbc4e816c42c7a61aa989daf3633edd553ed4a355d7eed6225091859
- SSDEEP
  
  192:400xT+MOj4Edw+bRFCPkzMTYEwdwbFS33eWTqa2ilecbAvyv/PjxNlMopnTXmCly:400xvnyK9EN5VlVECXIWeF
Score

1^/10
behavioral1
- Target
  
  LoaderV6/Additions/wmpnssci.dll
- Size
  
  4KB
- MD5
  
  ceb507d981f24eab435ac247a5493dc2
- SHA1
  
  2224b6607b84063173edece209ded693d6f3471c
- SHA256
  
  1c443783d20272e22ef0e2acc0d4ca26ad8623c600882354c4849534b6d8737d
- SHA512
  
  53a9de578985de120a886fbfb0d6a883518b302fbe3d2ae3b8cb4f884578ea644083cff9da88502ca74ffebd46804a5d5bdce2e06f28f146354ad7db3d6bbc46
- SSDEEP
  
  48:yLfpRyfGaEXFvHxKgXk4WTPXQ4utDBbZWqC+2zLI634b6tmfx3gr:SHyfGB1HHU4WTfQ4s9Wh34b6yo
Score

1^/10
behavioral2
- Target
  
  LoaderV6/Additions/wmpnssui.dll
- Size
  
  3KB
- MD5
  
  2644bd70bc685b362cad6e6ab65e038f
- SHA1
  
  46682b4d2fd9e3863c3aaeae000e25ad8ab48825
- SHA256
  
  7b7aa6c204b30808b4ae323931bf340c08c3ddeedc10d836a57e80ac3d67e404
- SHA512
  
  f95ddf830d9efb0c2eea09d10642a7a144259aa609638b33fb667099021d6676e4e0021e5d32a216cbaa23b35a8ebe25cb99cc5a89a8acb53704a7c79c98eedb
Score

1^/10
behavioral3
- Target
  
  LoaderV6/WMPNSSUI.dll
- Size
  
  21KB
- MD5
  
  95111e3aeba84c3dcf05d3dc25a15d30
- SHA1
  
  1539f1e3e76912d02adaac29f8d83231db62dbd3
- SHA256
  
  9887affa2d6eac2ae68dda60af3b9b25ba3cedd00e0861e1e57df5d017146f8a
- SHA512
  
  7547f83181fa2ef6e51923a1475286f571e8f87db7c893c8f86d249ec34eea71eae8cd224f1c05b172153309f8d507d3ac33ec85a6d14a07f80029890174c6b3
- SSDEEP
  
  384:mAFLVVeK3Xvv3IglWAduY4UczbX4q7zqhsA0+/NWapW:ZpvjXnIGY6Q+/v
Score

1^/10
behavioral4
- Target
  
  LoaderV6/loaderV6.exe
- Size
  
  52.5MB
- MD5
  
  4efe5b34754a7b87e7a2fb46664fb245
- SHA1
  
  7a2ffeac89d92fb0fb987cb6b284133e41a1e666
- SHA256
  
  88f6b132a2f2f4bee053e521ca9a212bca12ed681b223ad615d4263c976e152c
- SHA512
  
  a090deac29ae7aa7baf6411d1eef6121f5fdf09eb3d14f57f2b7e1f1f56859a70d12019234055c74df6e339081529c670bdf035c728244435ea8830b2d6f6b14
- SSDEEP
  
  393216:3T6KLdGUHM9yCKxECB54r6X9eDQrps7p6Y:3T6edGUs9yLEFy+sY
Score

10^/10

rhadamanthys discovery evasion execution persistence privilege_escalation stealer trojan
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks whether UAC is enabled
  evasion trojan
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral5
- Target
  
  LoaderV6/mpvis.DLL
- Size
  
  186KB
- MD5
  
  e7dd6c9ed6db46b3d35cafaa4b7f640e
- SHA1
  
  2d65eefdfa5e71afb82c78bf4b264e87db91b958
- SHA256
  
  6edf856747573fc15433c0923efb93c3ebc29bb5957b373cbb798998381d9d4d
- SHA512
  
  828cf56539c5d2a8e10564c02cdef3a34781787e9414747ad87472b98997843be4e2007ed1aa22f013de0c445b5a9e8fcac8ef85a51df7bed5725f3881cea50d
- SSDEEP
  
  3072:eGGQ8wInYIcRSqMnAzvJC8KBoOGefHFcYBqI1r0flW/9YzG6:eC1InY9UqMAz4brxo4U
Score

1^/10
behavioral6
- Target
  
  LoaderV6/wmpnssci.dll
- Size
  
  497KB
- MD5
  
  e4c5664db410d83a28413aaf29103c5d
- SHA1
  
  3c46a8465acd8ed799e0bfe772b4b3f40cb5a2ce
- SHA256
  
  86cdcc390dd5deace354910bb5ef02843068fdea29a6552b2b0b3737b1f632dd
- SHA512
  
  a8564ed391be37b3bc046e57ccfb1e66c1bf95b6d2b0c7607636452dc69501888759316e3c0385042017617c7c8aec47bb2975e384057f2f7f0010866a11e02d
- SSDEEP
  
  12288:BdTAIUINc5k+JF1JuN4ULTua1BDllfMo88s9Of4:BCIcW+J/+TF1Honr
Score

1^/10
behavioral7