Extracted

• • Target

    sample

  • Size

    3.7MB

  • MD5

    9929782fd681101b61dd6c14de2ef687

  • SHA1

    cacecd7371034ca973add1716eae288be097bad5

  • SHA256

    b62a2247b7a7947d5909507e63d5e756e1de4e3a5cf90b0629adabd4d9eead37

  • SHA512

    e75b19fd2038073b10f8b844f5dcc50da790dac03e263d34579964d6585b7d5420dd89e88f11ce3d24303e3cd332393a411e167bfd2d8e83c4d4d176201e8178

  • SSDEEP

    49152:BCF4MtMz3p0SPlwjfbJZrEs5xtMz3e0ShozikjbZHlL4OF6lrN:g

  Score

  10^/10

  rhadamanthyssectopratdiscoveryexecutionpersistenceratstealertrojan

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat

  • SectopRAT payload

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Blocklisted process makes network request

  • Checks for any installed AV software in registry

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  • Command and Scripting Interpreter: AutoIT

    Using AutoIT for possible automate script.

    execution

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1