rhadamanthys | 52a2cba32abcbd03409af6bd2d945a5caf9aa96df0ab7b50fc24769603daa081 | Triage

Submit
Reports

Overview

overview

Static

static

1

3ag3jpquii3of.html

windows11-21h2-x64

Sharing

General

Target

3ag3jpquii3of
Size

4KB
Sample

240827-nhdjkazdll
MD5

92b86c989c812ab6f4820bab995439fe
SHA1

869d7477aaf0af66ddfdcdd8bb035d39ddaf65d3
SHA256

52a2cba32abcbd03409af6bd2d945a5caf9aa96df0ab7b50fc24769603daa081
SHA512

08d13bd10fd6dcf22c2fd2e8fd9821d2d3e5958cd3cb3fe9020928f6df22c96f594ed767e260b5c4cf9bd3e404d4edd1c43f8f131e2c38ef3d4dc77a14b18143
SSDEEP

96:zfZ9Z6pRRL9AGSyd99gevVIPgJm+HDvCDZlrNxvnx/IJ:zbZSC1+jvCD3rDvnx/0

Score

10^/10

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer

Static task

static1

Behavioral task

behavioral1

Sample

3ag3jpquii3of.html

Resource

win11-20240802-en

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer

windows11-21h2-x64

29 signatures

300 seconds

Malware Config

Extracted

Family

rhadamanthys

C2

https://144.76.133.166:8034/5502b8a765a7d7349/gful07nl.rfoel

Targets

- Target
  
  3ag3jpquii3of
- Size
  
  4KB
- MD5
  
  92b86c989c812ab6f4820bab995439fe
- SHA1
  
  869d7477aaf0af66ddfdcdd8bb035d39ddaf65d3
- SHA256
  
  52a2cba32abcbd03409af6bd2d945a5caf9aa96df0ab7b50fc24769603daa081
- SHA512
  
  08d13bd10fd6dcf22c2fd2e8fd9821d2d3e5958cd3cb3fe9020928f6df22c96f594ed767e260b5c4cf9bd3e404d4edd1c43f8f131e2c38ef3d4dc77a14b18143
- SSDEEP
  
  96:zfZ9Z6pRRL9AGSyd99gevVIPgJm+HDvCDZlrNxvnx/IJ:zbZSC1+jvCD3rDvnx/0
Score

10^/10

rhadamanthys defense_evasion discovery persistence privilege_escalation stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Component Object Model Hijacking

Privilege Escalation

Event Triggered Execution

Component Object Model Hijacking

Defense Evasion

Indicator Removal

File Deletion

Subvert Trust Controls

SIP and Trust Provider Hijacking

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdefense_evasiondiscoverypersistenceprivilege_escalationstealer

© 2018-2024

Terms | Privacy