Overview

overview

10

Static

static

3

020425c9fc...6e.exe

windows7-x64

10

020425c9fc...6e.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    020425c9fc833c6851f81b9db71b47eda800d4ecacc91eb8f3d6ee27b3beff6e

  • Size

    78.6MB

  • Sample

    240930-wzlv9sshnd

  • MD5

    a9d05cdad3fe65155827871bde492212

  • SHA1

    9d1bc989b096780822350a3917912eb922f25dd6

  • SHA256

    020425c9fc833c6851f81b9db71b47eda800d4ecacc91eb8f3d6ee27b3beff6e

  • SHA512

    4772efa008b9a502a06b2338acd70636d21ef021779428cc2e02edd92d47743c8fb0aa1b0b3082f2a5d6d4f3971d1632094c2aa5649df6fb6ef4df8869662cac

  • SSDEEP

    1572864:2ZSs15m6LOhdKU+itv+tSU11+ofQZreT6C4pQFSIzAumScqExB:Gj1ZAKU1tvWSU1w6ZTdXFJAftB

Score
10/10
rhadamanthysdiscoverypersistencespywarestealer

Malware Config

Targets

    • Target

      020425c9fc833c6851f81b9db71b47eda800d4ecacc91eb8f3d6ee27b3beff6e

    • Size

      78.6MB

    • MD5

      a9d05cdad3fe65155827871bde492212

    • SHA1

      9d1bc989b096780822350a3917912eb922f25dd6

    • SHA256

      020425c9fc833c6851f81b9db71b47eda800d4ecacc91eb8f3d6ee27b3beff6e

    • SHA512

      4772efa008b9a502a06b2338acd70636d21ef021779428cc2e02edd92d47743c8fb0aa1b0b3082f2a5d6d4f3971d1632094c2aa5649df6fb6ef4df8869662cac

    • SSDEEP

      1572864:2ZSs15m6LOhdKU+itv+tSU11+ofQZreT6C4pQFSIzAumScqExB:Gj1ZAKU1tvWSU1w6ZTdXFJAftB

    Score
    10/10
    rhadamanthysdiscoveryspywarestealerpersistence

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Event Triggered Execution: Image File Execution Options Injection

      persistence

    • Sets service image path in registry

      persistence

    • Uses Session Manager for persistence

      Creates Session Manager registry key to run executable early in system boot.

      persistence

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Event Triggered Execution

1
T1546

Image File Execution Options Injection

1
T1546.012

Defense Evasion

Modify Registry

2
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Tasks