Overview

overview

10

Static

static

3

GGLoader.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    GGLoader.rar

  • Size

    6KB

  • Sample

    241004-vlsk8awapm

  • MD5

    749994111118fa49df5aa944bb7dce85

  • SHA1

    3c2e2ce95ea4cc35492a046b4260b97f3db99068

  • SHA256

    872fca0defa8aaf02e8e8915626a3098c7d31052267c946ec59bc330db7bde17

  • SHA512

    9dad9e409c894d6cb0397b97fe3e0b9b4f4c4b60418c8439bf6397e5cd42a5ac96b4b138b0a9359025c06e5c2932e152990934a4351504d4d47270664900e846

  • SSDEEP

    192:1nvOoIssZzyPiTNhIhbdNZxR/MN1jM+7zZoiG:VvEP1B5hI5zZTk7zg

Score
10/10
rhadamanthysdefense_evasiondiscoveryevasionexecutionpersistencestealer

Malware Config

Targets

    • Target

      GGLoader.exe

    • Size

      19KB

    • MD5

      982e4ae4559538cfb529dfaff0507880

    • SHA1

      a3b0e3989d6e40792134286e40448004ebeda077

    • SHA256

      95a08f9fd8741d2b265a43143289af012ca24cee776609bc79337d63988246fd

    • SHA512

      35d23d332c0389b3d3e7086613e60d73c158a7dd408bc4320ccb10aba8c2755ea99bf0d484cd257d53d42a6fe95a9bab0c606e7c580039aa5334767a4096662f

    • SSDEEP

      384:/LVHmcPXblyCKGK9dnORWsK7PPZzcuIYZKJHtZW39cDpbJO:/hHHPbICKJEW7PPeQKy6db

    Score
    10/10
    rhadamanthysdefense_evasiondiscoveryevasionexecutionpersistencestealer

    • Modifies security service

      evasion

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Downloads MZ/PE file

    • Drops file in Drivers directory

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Indicator Removal: Clear Windows Event Logs

      Clear Windows Event Logs to hide the activity of an intrusion.

      defense_evasion

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Power Settings

1
T1653

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Indicator Removal

1
T1070

Clear Windows Event Logs

1
T1070.001

Modify Registry

1
T1112

Obfuscated Files or Information

1
T1027

Command Obfuscation

1
T1027.010

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks