Overview

overview

10

Static

static

1

URLScan

urlscan

http://moon predictor

windows10-2004-x64

10

Resubmissions

01-09-2024 11:59

240901-n5w97azgpa 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    http://moon predictor

  • Sample

    240901-n5w97azgpa

Score
10/10
rhadamanthysagilenetcredential_accessdiscoverypyinstallerspywarestealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://195.3.223.126:4287/9d0dc091285eb9fbf2e/o8f3c8oj.8rdif

Targets

    • Target

      http://moon predictor

    Score
    10/10
    rhadamanthysagilenetcredential_accessdiscoverypyinstallerspywarestealer

    • Detect rhadamanthys stealer shellcode

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Credentials from Password Stores: Credentials from Web Browsers

      Malicious Access or copy of Web Browser Credential store.

      credential_accessstealer

    • Downloads MZ/PE file

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Obfuscated with Agile.Net obfuscator

      Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

      agilenet

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unsecured Credentials: Credentials In Files

      Steal credentials from unsecured files.

      credential_accessstealer

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Enumerates processes with tasklist

      discovery

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Tasks