Extracted

• • Target

    S500RAT.exe

  • Size

    19.7MB

  • MD5

    a30b20982e46cdf912f2921376499146

  • SHA1

    d2733e2dbc3cfece6d6dc8d6656720b32bc7c288

  • SHA256

    67221baac9a770a9d8ca6e69d0770fb33b3bc6a1e548c3a4349a750f1c2ee950

  • SHA512

    20eff0091c733a0bb6a98b8fda8cc597b1d1293e3a1cad5e90459b3b22a241b8528490fba83535bd07cb50deff582086ccf25b2e296780135e1b62fcd6d10b4d

  • SSDEEP

    393216:M+D6Dn2BamajCGVS7yCzIWHS0wsZ4/jQLoLZ0bmWWxPIPlGMfF64GsYIjgfIQwsG:7ARmGVStBxe/jYoLZKWxPIPlGMZG3qIG

  Score

  10^/10

  rhadamanthysdefense_evasiondiscoverypersistencespywarestealer

  • Detect rhadamanthys stealer shellcode

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Blocklisted process makes network request

  • Drops file in Drivers directory

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Accesses cryptocurrency files/wallets, possible credential harvesting

    spyware

  • Adds Run key to start application

    persistence

  • Legitimate hosting services abused for malware hosting/C2

  • Obfuscated Files or Information: Command Obfuscation

    Adversaries may obfuscate content during command execution to impede detection.

    defense_evasion

  • Suspicious use of SetThreadContext

  behavioral1