General
-
Target
setup.zip
-
Size
17.5MB
-
Sample
240811-ry5vjatell
-
MD5
14f1142ba2a969fb79ee60886aa89eee
-
SHA1
7ccd15d2b1db1001c6c17550e7c3735494dd60a0
-
SHA256
6edabaa1a35a493910bfa9e21bbc0ebe851cb631a2ec49d22c006109834426ba
-
SHA512
73ef2830ea8e3ed332f4ec85833a8b497263fddd6bd1fce4d0885e37025ed89354543aa42406bb6e13bb6ed61cc05e429c7b09f19d8c7c79893467fa52f7c86b
-
SSDEEP
393216:ASzkcQy8bkGWaW2dNcv0z6HbQ0Cdw8llIKV2vB5s2esHzQGncrq+p9:ASzkD3IYW2jM0z67Q3llICcOsHzQGncJ
Malware Config
Targets
-
-
Target
setup.zip
-
Size
17.5MB
-
MD5
14f1142ba2a969fb79ee60886aa89eee
-
SHA1
7ccd15d2b1db1001c6c17550e7c3735494dd60a0
-
SHA256
6edabaa1a35a493910bfa9e21bbc0ebe851cb631a2ec49d22c006109834426ba
-
SHA512
73ef2830ea8e3ed332f4ec85833a8b497263fddd6bd1fce4d0885e37025ed89354543aa42406bb6e13bb6ed61cc05e429c7b09f19d8c7c79893467fa52f7c86b
-
SSDEEP
393216:ASzkcQy8bkGWaW2dNcv0z6HbQ0Cdw8llIKV2vB5s2esHzQGncrq+p9:ASzkD3IYW2jM0z67Q3llICcOsHzQGncJ
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Downloads MZ/PE file
-
Event Triggered Execution: Image File Execution Options Injection
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled
-
Maps connected drives based on registry
Disk information is often read in order to detect sandboxing environments.
-
Network Share Discovery
Attempt to gather information on host network.
-
System Binary Proxy Execution: Verclsid
Adversaries may abuse Verclsid to proxy execution of malicious code.
-
Checks system information in the registry
System information is often read in order to detect sandboxing environments.
-
Enumerates processes with tasklist
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Event Triggered Execution
3Accessibility Features
1Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Event Triggered Execution
3Accessibility Features
1Component Object Model Hijacking
1Image File Execution Options Injection
1Scheduled Task/Job
1Scheduled Task
1Discovery
Network Share Discovery
1Peripheral Device Discovery
1Process Discovery
1Query Registry
6System Information Discovery
7System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1