Overview

overview

10

Static

static

3

setupV4.5.zip

windows11-21h2-x64

10

setupV4.5/...al.dll

windows11-21h2-x64

3

setupV4.5/...ds.dll

windows11-21h2-x64

3

setupV4.5/....5.exe

windows11-21h2-x64

8

setupV4.5/...er.dll

windows11-21h2-x64

3

setupV4.5/...dm.dll

windows11-21h2-x64

3

setupV4.5/...ix.sys

windows11-21h2-x64

1

setupV4.5/...pi.dll

windows11-21h2-x64

3

setupV4.5/acwow64.dll

windows11-21h2-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    setupV4.5.zip

  • Size

    15.0MB

  • Sample

    240805-vlswzswepg

  • MD5

    0885d0c87354528911f49d315897fdd1

  • SHA1

    5fe60967ed1afa998376f712e4fa8af3bca1fa88

  • SHA256

    242d45f5768636258f25d282c74c933d2707fb13a7a54e893329ecc9e13ef50f

  • SHA512

    ed957e4a9361f3af3b99d2347b049d6a20921fd0e802dc9e5b01f3ef8da92134056a5ef9170f817e7c6bf4ec08cf107ffbb59eae4f76a669ddedca71c7d0bae8

  • SSDEEP

    393216:9KKjdAJ/kHfMO2/w1kBY8l5aFEYF/pAYfxXaI+vQkXLLcDlE610C9:9KKjKsHfMO2/wBFFF/pAYfR0vQk8DlNr

Score
10/10
rhadamanthysdiscoveryevasionexecutionpersistenceprivilege_escalationstealertrojan

Malware Config

Targets

    • Target

      setupV4.5.zip

    • Size

      15.0MB

    • MD5

      0885d0c87354528911f49d315897fdd1

    • SHA1

      5fe60967ed1afa998376f712e4fa8af3bca1fa88

    • SHA256

      242d45f5768636258f25d282c74c933d2707fb13a7a54e893329ecc9e13ef50f

    • SHA512

      ed957e4a9361f3af3b99d2347b049d6a20921fd0e802dc9e5b01f3ef8da92134056a5ef9170f817e7c6bf4ec08cf107ffbb59eae4f76a669ddedca71c7d0bae8

    • SSDEEP

      393216:9KKjdAJ/kHfMO2/w1kBY8l5aFEYF/pAYfxXaI+vQkXLLcDlE610C9:9KKjKsHfMO2/wBFFF/pAYfR0vQk8DlNr

    Score
    10/10
    rhadamanthysdiscoveryexecutionpersistenceprivilege_escalationstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

    • Target

      setupV4.5/AcXtrnal.dll

    • Size

      84KB

    • MD5

      7a8363e16731be3c2c8e19d8cc09c55b

    • SHA1

      c91428381a21769b8b0d43ad2ff51ecbf4484148

    • SHA256

      74e806ec92105141400a92bd89b1dc17881df02a5014ebb421853a4ddeb90954

    • SHA512

      d580d64287ff24d410b47865fb328a57c034890f4f8d3185e50cc9d41523b97f35f088b917c73c4752676242d7bd0be5066e4ea8cef5563fa9c4081aa428bc8b

    • SSDEEP

      1536:kvR1FvU175th5AuXKoG1P7fTCUTj/y5BnJAGVrpXn6PO:U817R2JoEDTCUT+9JAGVrpXn6

    Score
    3/10
    discovery
    behavioral2

    • Target

      setupV4.5/AdaptiveCards.dll

    • Size

      41KB

    • MD5

      43c11ee7a1d9f62c429972c07dd33229

    • SHA1

      c091b972937d18f9a52c4fd33188e4f3e401ccb7

    • SHA256

      f8e015de2e77647dcaa2d0e1b9b1ac284e9d987385b9947591813b4bd6796e32

    • SHA512

      cb9a76ae4ffe1c297bb81537efb14b2686f2a7c37dcce874d107d22b37bf28b34d4f0b2e29fd2fdb992dfb15dc583dce7c140bb8a4d20f0331bc93b26f6401c8

    • SSDEEP

      768:svEUgi5QYojjPIKg7yrGEw4zk/NF1IzZLrop4NVXldt1vZstPGck6jv:s8UgiW7jPIKeyrARNF+lu0JDvZsBGcks

    Score
    3/10
    discovery
    behavioral3

    • Target

      setupV4.5/SetupV4.5.exe

    • Size

      52.5MB

    • MD5

      4efe5b34754a7b87e7a2fb46664fb245

    • SHA1

      7a2ffeac89d92fb0fb987cb6b284133e41a1e666

    • SHA256

      88f6b132a2f2f4bee053e521ca9a212bca12ed681b223ad615d4263c976e152c

    • SHA512

      a090deac29ae7aa7baf6411d1eef6121f5fdf09eb3d14f57f2b7e1f1f56859a70d12019234055c74df6e339081529c670bdf035c728244435ea8830b2d6f6b14

    • SSDEEP

      393216:3T6KLdGUHM9yCKxECB54r6X9eDQrps7p6Y:3T6edGUs9yLEFy+sY

    Score
    8/10
    discoveryevasionpersistenceprivilege_escalationtrojan

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Checks whether UAC is enabled

      evasiontrojan

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Network Share Discovery

      Attempt to gather information on host network.

      discovery

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Enumerates processes with tasklist

      discovery
    behavioral4

    • Target

      setupV4.5/SetupV4.5/AddressParser.dll

    • Size

      52KB

    • MD5

      09a620a0d09694d03bc8fd5d8b8aa819

    • SHA1

      a7db367da4c455f7b4e42e9055ce1ca58923bd85

    • SHA256

      381a701b27ba655a6833a02803a36aa6607904f6fb3c0b5530bacdf92f00da78

    • SHA512

      68f17d726ad6811fcd4487340dbe13d7d97d515fed967dbefaa6b52ffe26b13f55f682939d1425624f83068e1b75c05fc10a601a81f01805c97fc9feffcb33c1

    • SSDEEP

      768:WljQbhFMQUmxHqE3F0J0Q0K/SzFCe+VyDQc2gxpj+FrH53rNWiXI2Itp/zn:WV+fggKCFCe+Vdo2H7NWiY2It

    Score
    3/10
    discovery
    behavioral5

    • Target

      setupV4.5/SetupV4.5/Apphlpdm.dll

    • Size

      29KB

    • MD5

      e166daac460eb2a7a67c9a5a2dcccf1f

    • SHA1

      994ff138c195fb13d4cd3446ab68224b2c210a2c

    • SHA256

      09725c772489573d6b1489591ec1e0f580c5c1f650f82d0a112a44fc89842938

    • SHA512

      0605565ae013f5973a2946796a83c1484ada9dbfeeca0b379267e90037426ecf8932310a3f431cced44bba4c722fdb201ea865df91df0803246f9f73b287d374

    • SSDEEP

      384:dlPLo/0VIp747y9M+qzviYng+B2CLCB8j17fzWY9Wf0jgvnTEySeC:dZIp74glmviylJ17fXeCqVC

    Score
    3/10
    discovery
    behavioral6

    • Target

      setupV4.5/SetupV4.5/afunix.Dll

    • Size

      30KB

    • MD5

      66e126ffbbda83ec089d1bb77164ba91

    • SHA1

      d784850e42c29e5d22f5d3e91d5ea5d6ecd124e6

    • SHA256

      bb83da6810925f0b28c7d22ac1f99f46e312b2669b81ee207a66a3650ca9fd94

    • SHA512

      d19b21b7de34469e09335aa82b6e06a106e36cacf59be8a549d7e70a8fbb4e22d29f4a5166ee77373770ce354b64277ddb37400bb5eda95408b099a7d7edbfdc

    • SSDEEP

      768:98D6z7qHpekPfjTEPfPZFTqzK3J46aWevll:9Q63qHpeQsPPsKovll

    Score
    1/10
    behavioral7

    • Target

      setupV4.5/SetupV4.5/appidapi.dll

    • Size

      54KB

    • MD5

      9803723f2be4fb990b88b3cc883731c0

    • SHA1

      fb7b51ba3aff0df9bde338a28efaafa5e9520454

    • SHA256

      2827e2a738ad0337979739558e6da19a012dc91ecad863e594ff268f78e93575

    • SHA512

      34bdc8e091c6348d42699e7f21fe9c620d786b542dcc2542ef097a2d93d2fcc5e6a2720b3d13c58a488719fffa35a59b58ab4c35f6caca97a3d7aa4d57490fca

    • SSDEEP

      1536:SZWOik+pqC5ZflGtJmU32to/UdWxPwBs+zue0:SoqUtvf4PmU32twUm6q5

    Score
    3/10
    discovery
    behavioral8

    • Target

      setupV4.5/acwow64.dll

    • Size

      37KB

    • MD5

      94e972f7e5f6662dece2c435047d9fa0

    • SHA1

      4f782489bd2cf9f3cf97a17dd2ab158d75022599

    • SHA256

      99c6d28b981552f92341da34deee0a4e0212bfb76f0d5b29711331ad47b9ed25

    • SHA512

      7c4dc945c9c69681cd72329696c9837d60c413bcc0b35429ebc3868bdb30b814e80ce36682cb97aca21130cfd963600631da59acbd3fe3de4fa1f735e16047c2

    • SSDEEP

      768:+6cW1qHGnnU5yadOKjGfDVoHOqAQG2gcwO6:+6c6q2nedO2GfZoHOqm2gcwO6

    Score
    3/10
    discovery
    behavioral9

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Event Triggered Execution

2
T1546

Component Object Model Hijacking

1
T1546.015

Image File Execution Options Injection

1
T1546.012

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Network Share Discovery

1
T1135

Peripheral Device Discovery

1
T1120

Process Discovery

1
T1057

Query Registry

6
T1012

System Information Discovery

7
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

System Network Configuration Discovery

1
T1016

Internet Connection Discovery

1
T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks