General
-
Target
Install_x64.exe
-
Size
152.8MB
-
Sample
240805-n6weaaygnh
-
MD5
718ba2fec3b4922334113b245db63040
-
SHA1
eb4dbf4c59d14a0e1f9e37f980367c6c0b699548
-
SHA256
ba64b40b16dc76d830446f87a7f9e2847ba3d921eec7c3226336af8739b59d2c
-
SHA512
4afd2102fc58dfbd1ec6854bf93700dbfa42c1636609bbbbdef0e71055d970159192ceab1fa7ad1636b6c1b0ba75bc97910199ca2a0900d25fd074b4f7802909
-
SSDEEP
786432:wt2OSpkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDQ:wtApkMMi5w9qEn7S6S3zY5
Static task
static1
Behavioral task
behavioral1
Sample
Install_x64.exe
Resource
win10-20240611-en
Malware Config
Targets
-
-
Target
Install_x64.exe
-
Size
152.8MB
-
MD5
718ba2fec3b4922334113b245db63040
-
SHA1
eb4dbf4c59d14a0e1f9e37f980367c6c0b699548
-
SHA256
ba64b40b16dc76d830446f87a7f9e2847ba3d921eec7c3226336af8739b59d2c
-
SHA512
4afd2102fc58dfbd1ec6854bf93700dbfa42c1636609bbbbdef0e71055d970159192ceab1fa7ad1636b6c1b0ba75bc97910199ca2a0900d25fd074b4f7802909
-
SSDEEP
786432:wt2OSpkMhfqpHCOdRIeoxOTx9ylnEk2Fd7yLie63pk3lLwmYEDQ:wtApkMMi5w9qEn7S6S3zY5
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Executes dropped EXE
-
Loads dropped DLL
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-