Extracted

• • Target

    Bootstrapper_V1.19.exe

  • Size

    796KB

  • MD5

    4d58b02c2a252bc3c9b0e400d0d38c34

  • SHA1

    749059703b6333bde494a43c33fa2cf2a4ff8026

  • SHA256

    b6f869f85169eb84ad25aa08d9844a18d8febee43f05f4b3dffb539ec2b7f1b1

  • SHA512

    ea00a0670f7b4381ec43449ded50be7bda58496fcb59b5ba87e22c3b9d5b85b5d4df457c4b4e6c1d38016f9c10d1c8869e9dd4b498f814feacb40d398e2aaed4

  • SSDEEP

    3072:OhMQmmCyYwC+M2FEv80IZOAcXAEJuh9hCyYwC+M2FEv80IZOAD80IZOAB:zmhY7X2Kvh9qhhY7X2KvhEh

  Score

  10^/10

  discoveryexecutionrhadamanthysstealer

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1behavioral2