General

  • Target

    Bootstrapper_V1.19.exe

  • Size

    796KB

  • Sample

    241003-p8nb5a1gmf

  • MD5

    4d58b02c2a252bc3c9b0e400d0d38c34

  • SHA1

    749059703b6333bde494a43c33fa2cf2a4ff8026

  • SHA256

    b6f869f85169eb84ad25aa08d9844a18d8febee43f05f4b3dffb539ec2b7f1b1

  • SHA512

    ea00a0670f7b4381ec43449ded50be7bda58496fcb59b5ba87e22c3b9d5b85b5d4df457c4b4e6c1d38016f9c10d1c8869e9dd4b498f814feacb40d398e2aaed4

  • SSDEEP

    3072:OhMQmmCyYwC+M2FEv80IZOAcXAEJuh9hCyYwC+M2FEv80IZOAD80IZOAB:zmhY7X2Kvh9qhhY7X2KvhEh

Malware Config

Extracted

Family

rhadamanthys

C2

https://135.181.4.162:2423/97e9fc994198e76/02dgpgfn.5rkt4

Targets

    • Target

      Bootstrapper_V1.19.exe

    • Size

      796KB

    • MD5

      4d58b02c2a252bc3c9b0e400d0d38c34

    • SHA1

      749059703b6333bde494a43c33fa2cf2a4ff8026

    • SHA256

      b6f869f85169eb84ad25aa08d9844a18d8febee43f05f4b3dffb539ec2b7f1b1

    • SHA512

      ea00a0670f7b4381ec43449ded50be7bda58496fcb59b5ba87e22c3b9d5b85b5d4df457c4b4e6c1d38016f9c10d1c8869e9dd4b498f814feacb40d398e2aaed4

    • SSDEEP

      3072:OhMQmmCyYwC+M2FEv80IZOAcXAEJuh9hCyYwC+M2FEv80IZOAD80IZOAB:zmhY7X2Kvh9qhhY7X2KvhEh

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Legitimate hosting services abused for malware hosting/C2

MITRE ATT&CK Enterprise v15

Tasks

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.