rhadamanthys | 10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4 | Triage

Submit
Reports

Overview

overview

Static

static

1

миимссми.png

windows11-21h2-x64

Resubmissions

05-08-2024 22:15

240805-16c9xstgka 10

05-08-2024 22:10

240805-13nw9azfjj 10

Sharing

General

Target

миимссми.png
Size

932KB
Sample

240805-16c9xstgka
MD5

c884fc194231c9b1ea1b3174a4a5d245
SHA1

ed5205b51b632191559f481f20944ebaa7cec4ad
SHA256

10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4
SHA512

c22fc6fea39b9185394a64b32e0b6fcba677e9715390bb96eaac3a8a037d99252eaef9b6757cd6a771d4295ecee17e9aea6037169b5257004930b13621c73ae6
SSDEEP

24576:nUKqVB0thWSrltKGDWVSHd14F0AIAwPWTRawTS5z+2:UKyBcjEoHd5/AwOT/cj

Score

10^/10

rhadamanthys defense_evasion discovery execution stealer

Static task

static1

Behavioral task

behavioral1

Sample

миимссми.png

Resource

win11-20240802-en

rhadamanthys defense_evasion discovery execution stealer

windows11-21h2-x64

26 signatures

150 seconds

Malware Config

Targets

- Target
  
  миимссми.png
- Size
  
  932KB
- MD5
  
  c884fc194231c9b1ea1b3174a4a5d245
- SHA1
  
  ed5205b51b632191559f481f20944ebaa7cec4ad
- SHA256
  
  10d18771311ea3d32128642debc3a5e7bfdbfa0982e0805558a87ef2497c5fb4
- SHA512
  
  c22fc6fea39b9185394a64b32e0b6fcba677e9715390bb96eaac3a8a037d99252eaef9b6757cd6a771d4295ecee17e9aea6037169b5257004930b13621c73ae6
- SSDEEP
  
  24576:nUKqVB0thWSrltKGDWVSHd14F0AIAwPWTRawTS5z+2:UKyBcjEoHd5/AwOT/cj
Score

10^/10

rhadamanthys defense_evasion discovery execution stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Downloads MZ/PE file
- Executes dropped EXE
- Loads dropped DLL
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

File Deletion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdefense_evasiondiscoveryexecutionstealer

© 2018-2024

Terms | Privacy