General

  • Target

    7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2.exe

  • Size

    1.5MB

  • Sample

    240830-bzt7essdrr

  • MD5

    29c6df4f70bc29919dba16a04c08800c

  • SHA1

    0c6083da1f78d6d365138cc96724ee7f33b4b7de

  • SHA256

    7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2

  • SHA512

    30c9c7e62f8cb8d05e3dfcf0c526f9943fb648f91cd156a356550b0be326bde79bcfd638bd8b956577a0b8860eea186a4b80fab1b79deeee6a35515a927db666

  • SSDEEP

    49152:ETXLOO0MV8+2vk1rrts0LDAYjNxyBVQEBX9:EV0gVjrrtsMkYBxQVQEBX9

Malware Config

Extracted

Family

rhadamanthys

C2

https://80.209.243.182:8094/c47580f52cd88a21fb/gb51j2km.kui3h

Targets

    • Target

      7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2.exe

    • Size

      1.5MB

    • MD5

      29c6df4f70bc29919dba16a04c08800c

    • SHA1

      0c6083da1f78d6d365138cc96724ee7f33b4b7de

    • SHA256

      7c86e8c4143be0e27af9558ca46b3b4d7c5bee5e58e18902757bc02f6a3863a2

    • SHA512

      30c9c7e62f8cb8d05e3dfcf0c526f9943fb648f91cd156a356550b0be326bde79bcfd638bd8b956577a0b8860eea186a4b80fab1b79deeee6a35515a927db666

    • SSDEEP

      49152:ETXLOO0MV8+2vk1rrts0LDAYjNxyBVQEBX9:EV0gVjrrtsMkYBxQVQEBX9

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Enumerates processes with tasklist

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks