General

  • Target

    Install_x64.exe

  • Size

    152.8MB

  • Sample

    240805-n6weaaygnh

  • MD5

    718ba2fec3b4922334113b245db63040

  • SHA1

    eb4dbf4c59d14a0e1f9e37f980367c6c0b699548

  • SHA256

    ba64b40b16dc76d830446f87a7f9e2847ba3d921eec7c3226336af8739b59d2c

  • SHA512

    4afd2102fc58dfbd1ec6854bf93700dbfa42c1636609bbbbdef0e71055d970159192ceab1fa7ad1636b6c1b0ba75bc97910199ca2a0900d25fd074b4f7802909

  • SSDEEP

    786432:wt2OSpkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDQ:wtApkMMi5w9qEn7S6S3zY5

Malware Config

Targets

    • Target

      Install_x64.exe

    • Size

      152.8MB

    • MD5

      718ba2fec3b4922334113b245db63040

    • SHA1

      eb4dbf4c59d14a0e1f9e37f980367c6c0b699548

    • SHA256

      ba64b40b16dc76d830446f87a7f9e2847ba3d921eec7c3226336af8739b59d2c

    • SHA512

      4afd2102fc58dfbd1ec6854bf93700dbfa42c1636609bbbbdef0e71055d970159192ceab1fa7ad1636b6c1b0ba75bc97910199ca2a0900d25fd074b4f7802909

    • SSDEEP

      786432:wt2OSpkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDQ:wtApkMMi5w9qEn7S6S3zY5

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Loads dropped DLL

    • Indicator Removal: File Deletion

      Adversaries may delete files left behind by the actions of their intrusion activity.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks