General

  • Target

    5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848.lnk

  • Size

    1KB

  • Sample

    241008-xhgqnatfrp

  • MD5

    ae44dfe179f7ab8400c90b2d208ff313

  • SHA1

    7f87bfe1edeccd7a01ff20519e92ba54e7d8e4a8

  • SHA256

    5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848

  • SHA512

    5b451ef8b7043300bd9809285f8f283f2bda096d06f80560e48c89e5992981f0b5de20ed8a3fcdf3e8ff5e4be5672791a713e68a39571d25683db02f5720922a

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://1h982d.bemostake.space/test.txt

Targets

    • Target

      5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848.lnk

    • Size

      1KB

    • MD5

      ae44dfe179f7ab8400c90b2d208ff313

    • SHA1

      7f87bfe1edeccd7a01ff20519e92ba54e7d8e4a8

    • SHA256

      5089ec3c865e6c490ee27dff0b7dbe81ff882fbbeebf280c213ed9914ade6848

    • SHA512

      5b451ef8b7043300bd9809285f8f283f2bda096d06f80560e48c89e5992981f0b5de20ed8a3fcdf3e8ff5e4be5672791a713e68a39571d25683db02f5720922a

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Blocklisted process makes network request

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Deletes itself

    • Executes dropped EXE

    • Loads dropped DLL

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

MITRE ATT&CK Enterprise v15

Tasks