Overview

overview

10

Static

static

1

rsDymE.vbs

windows7-x64

6

rsDymE.vbs

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    rsDymE.vbs

  • Size

    506KB

  • Sample

    240913-h8y1as1dqk

  • MD5

    7fba6758ee02d6fbd69db7bb5de82029

  • SHA1

    7c759c4a7681da6e916d8dd80ecfb125f4bf49f5

  • SHA256

    8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974

  • SHA512

    15c49c436bf5ed535f646f263e70e80f47de620a553a9f7a8a88482385eec5812970fdc0f69b915efa6006a58b16fbf47980f2fa34f54344cbe77ac28cc75722

  • SSDEEP

    12288:0KaH9AkQqyuC+4MXBRNAIPyLKhaDw7JZJGjdbS4VZZ4Ph:89AkJyd+XXBzAIKOUU7Foxn4p

Score
10/10
rhadamanthysdiscoveryexecutionstealer

Malware Config

Extracted

Family

rhadamanthys

C2

https://deadmunky.nl:5403/68efc67ee981034e6b329438/h7bgh43h.758up

Targets

    • Target

      rsDymE.vbs

    • Size

      506KB

    • MD5

      7fba6758ee02d6fbd69db7bb5de82029

    • SHA1

      7c759c4a7681da6e916d8dd80ecfb125f4bf49f5

    • SHA256

      8bed27f5b5a1f3fee9076396dfa556be72ce444e1b0bf1ee536d716939c3a974

    • SHA512

      15c49c436bf5ed535f646f263e70e80f47de620a553a9f7a8a88482385eec5812970fdc0f69b915efa6006a58b16fbf47980f2fa34f54344cbe77ac28cc75722

    • SSDEEP

      12288:0KaH9AkQqyuC+4MXBRNAIPyLKhaDw7JZJGjdbS4VZZ4Ph:89AkJyd+XXBzAIKOUU7Foxn4p

    Score
    10/10
    discoveryexecutionrhadamanthysstealer

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks