General
-
Target
Osu-Freedom-Hack-main.zip
-
Size
882KB
-
Sample
240802-saeh4stbkg
-
MD5
aa794ff1326370fb9a3ce3898b5d1574
-
SHA1
a482e2ef26075b65fb4e60054671a406c0f0e428
-
SHA256
e061199d4b9ed772f1c2e3f3f71fc1697a8d726879643e82e6ee1238c8c2ec5d
-
SHA512
da7906d4703c6ab8f477f1d02b21aa22924568fdbf97de94b2da819aab9cd4edd911365b136887d7fc5caaae59c16e6f34cd960a197b77b50f7ee4175adda4a1
-
SSDEEP
24576:RWJQmrfjNiVrGroGxgkIKgK0fVXpWDtDRnB:gJf/NqrGMGxUdtBpWDhZB
Static task
static1
Behavioral task
behavioral1
Sample
Osu-Freedom-Hack-main/freedom1.12.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
Osu-Freedom-Hack-main/freedom1.12.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
Osu-Freedom-Hack-main/freedom_loader.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Osu-Freedom-Hack-main/freedom_loader.exe
Resource
win10v2004-20240802-en
Malware Config
Targets
-
-
Target
Osu-Freedom-Hack-main/freedom1.12.dll
-
Size
1.2MB
-
MD5
36dea25d49b9dff21acebface8ea2044
-
SHA1
5bd97162bc98e36c124811c360dbf29c6233405e
-
SHA256
d960a2eac5e7f1aa04e9f8d0da4eb9bb0b097ca58d0ce83ea1bb8351baf26301
-
SHA512
64f06db24297e30d7ec91d3cf9ccc33f28eb9041e463933866b09de0d138d964505aa38f32158be5e5491e4aa68d8ae77bccce9c068e5980d2281a24294bccf8
-
SSDEEP
24576:1iE0l9oS0Cl/9qZPcYJZEiDO3ytIPMunHuGKFufrrH1:YE0l1ZlVsPc06i63aIPZnBX
Score8/10-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Legitimate hosting services abused for malware hosting/C2
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
Target
Osu-Freedom-Hack-main/freedom_loader.exe
-
Size
355KB
-
MD5
bb84cc2853596d21a318576c4995fcce
-
SHA1
477a224d5b4e398b34a978ac19def1cbafb211d3
-
SHA256
6135bdbcfd9f824b3da0bef2ba73018a998967e20c5d0274c6a1c0433649b017
-
SHA512
aa32be3d91bf6e2c8fed0d0e0407723466b477ab0d27c5d3cd705ac73365ab4c56de4f16d4786ee586e750d6835eba09775dbf5a93b0da0eaea4326f2fc2bd5c
-
SSDEEP
6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqksb:gf2R/EEkCQFYDwRqv
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1