Extracted

• • Target

    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnI3aEhTeElhbm5nS3JSanFZTlozUlc5dmkzQXxBQ3Jtc0tsNXJBSWdKbGRTVUFxQTZITHRTZVBkb3NFdkhsUEZmd2NfV3dia3hxUVVpczBSSXBzTkpMQkVaa0JfcnBoM0FPYTA0bVRWTm1CWF9aWVBSNi00SFUtU1RwdlpyNjVRV1UwUXZFOHcxT0d2STk1RS1aOA&q=https%3A%2F%2Frekonise.com%2Fexec-ss8lr&v=OQtKIe-vJqw

  Score

  10^/10

  rhadamanthysdefense_evasiondiscoveryexecutionstealer

  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys

  • Suspicious use of NtCreateUserProcessOtherParentProcess

  • Command and Scripting Interpreter: PowerShell

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution

  • Downloads MZ/PE file

  • Executes dropped EXE

  • Loads dropped DLL

  • Blocklisted process makes network request

  • Enumerates connected drives

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2

  behavioral1