General

  • Target

    Osu-Freedom-Hack-main.zip

  • Size

    882KB

  • Sample

    240802-saeh4stbkg

  • MD5

    aa794ff1326370fb9a3ce3898b5d1574

  • SHA1

    a482e2ef26075b65fb4e60054671a406c0f0e428

  • SHA256

    e061199d4b9ed772f1c2e3f3f71fc1697a8d726879643e82e6ee1238c8c2ec5d

  • SHA512

    da7906d4703c6ab8f477f1d02b21aa22924568fdbf97de94b2da819aab9cd4edd911365b136887d7fc5caaae59c16e6f34cd960a197b77b50f7ee4175adda4a1

  • SSDEEP

    24576:RWJQmrfjNiVrGroGxgkIKgK0fVXpWDtDRnB:gJf/NqrGMGxUdtBpWDhZB

Malware Config

Targets

    • Target

      Osu-Freedom-Hack-main/freedom1.12.dll

    • Size

      1.2MB

    • MD5

      36dea25d49b9dff21acebface8ea2044

    • SHA1

      5bd97162bc98e36c124811c360dbf29c6233405e

    • SHA256

      d960a2eac5e7f1aa04e9f8d0da4eb9bb0b097ca58d0ce83ea1bb8351baf26301

    • SHA512

      64f06db24297e30d7ec91d3cf9ccc33f28eb9041e463933866b09de0d138d964505aa38f32158be5e5491e4aa68d8ae77bccce9c068e5980d2281a24294bccf8

    • SSDEEP

      24576:1iE0l9oS0Cl/9qZPcYJZEiDO3ytIPMunHuGKFufrrH1:YE0l1ZlVsPc06i63aIPZnBX

    Score
    8/10
    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Legitimate hosting services abused for malware hosting/C2

    • Network Service Discovery

      Attempt to gather information on host's network.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Target

      Osu-Freedom-Hack-main/freedom_loader.exe

    • Size

      355KB

    • MD5

      bb84cc2853596d21a318576c4995fcce

    • SHA1

      477a224d5b4e398b34a978ac19def1cbafb211d3

    • SHA256

      6135bdbcfd9f824b3da0bef2ba73018a998967e20c5d0274c6a1c0433649b017

    • SHA512

      aa32be3d91bf6e2c8fed0d0e0407723466b477ab0d27c5d3cd705ac73365ab4c56de4f16d4786ee586e750d6835eba09775dbf5a93b0da0eaea4326f2fc2bd5c

    • SSDEEP

      6144:g2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqksb:gf2R/EEkCQFYDwRqv

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

MITRE ATT&CK Enterprise v15

Tasks