rhadamanthys

General

Target

releases
Size

245KB
Sample

240902-fpdh5stbqh
MD5

e23488271cbfb1482ed9c70eb22dba8b
SHA1

c21161bbf851d93e36e86fd862f8841fb8950b3c
SHA256

97e1b9b1cd23d525be7dba8ba13b9ca7be56a4b33a9ee3b0b9bee3572973563c
SHA512

2fc582ce8a910a843800d30620a6fcb42f644958332b3b0ccd0d8e74f5b224691cc1f2da69eb5109d82e95a9214d74dd570730d4b5350105962739094cca4fde
SSDEEP

6144:jboSQ3uokeOvHS1d1+CNs8wbiWQl9/vZJT3CqbMrhryf65NRPaCieMjAkvCJv1VU:voSQ3uokeOvHS1d1+CNs8wbiWQl9/vZx

Score

10^/10

Malware Config

Extracted

Family

rhadamanthys

C2

https://144.76.133.166:8034/5502b8a765a7d7349/k5851jfq.guti6

Targets

- Target
  
  releases
- Size
  
  245KB
- MD5
  
  e23488271cbfb1482ed9c70eb22dba8b
- SHA1
  
  c21161bbf851d93e36e86fd862f8841fb8950b3c
- SHA256
  
  97e1b9b1cd23d525be7dba8ba13b9ca7be56a4b33a9ee3b0b9bee3572973563c
- SHA512
  
  2fc582ce8a910a843800d30620a6fcb42f644958332b3b0ccd0d8e74f5b224691cc1f2da69eb5109d82e95a9214d74dd570730d4b5350105962739094cca4fde
- SSDEEP
  
  6144:jboSQ3uokeOvHS1d1+CNs8wbiWQl9/vZJT3CqbMrhryf65NRPaCieMjAkvCJv1VU:voSQ3uokeOvHS1d1+CNs8wbiWQl9/vZx
Score

10^/10

rhadamanthys collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Credentials from Password Stores: Credentials from Web Browsers
  Malicious Access or copy of Web Browser Credential store.
  credential_access stealer
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Downloads MZ/PE file
- Drops file in Drivers directory
- Clipboard Data
  Adversaries may collect data stored in the clipboard from users copying information within or between applications.
  collection
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Unsecured Credentials: Credentials In Files
  Steal credentials from unsecured files.
  credential_access stealer
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Obfuscated Files or Information: Command Obfuscation
  Adversaries may obfuscate content during command execution to impede detection.
  defense_evasion
- Enumerates processes with tasklist
  discovery
- Hide Artifacts: Hidden Files and Directories
  defense_evasion
- Suspicious use of SetThreadContext
behavioral1