rhadamanthys

General

Target

a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b.lnk
Size

1KB
Sample

241008-xhgqnaxgke
MD5

6195bc34ba803cfe39d32856f6dc9546
SHA1

7df2be096948fdc9590658a6e16a15250e5f4973
SHA256

a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b
SHA512

14418232686d2ce0dfc4dbc018716867ced108ba3054e6023764608772ca92af7d4be918773747b63900371cf861fb3db872e4f419f427b35c5c61e9b8d8c36b

Score

10^/10

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1h982d.bemostake.space/test.txt

Extracted

Family

rhadamanthys

C2

https://147.45.126.71:3752/20846e26ac9fe96c52/8ackhmnt.9e5wm

Targets

- Target
  
  a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b.lnk
- Size
  
  1KB
- MD5
  
  6195bc34ba803cfe39d32856f6dc9546
- SHA1
  
  7df2be096948fdc9590658a6e16a15250e5f4973
- SHA256
  
  a83e7ec9997f8e98ae0a3e27c20430d9711215bc71591406688312f8663c7e1b
- SHA512
  
  14418232686d2ce0dfc4dbc018716867ced108ba3054e6023764608772ca92af7d4be918773747b63900371cf861fb3db872e4f419f427b35c5c61e9b8d8c36b
Score

10^/10

execution rhadamanthys stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Blocklisted process makes network request
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Command and Scripting Interpreter: PowerShell
  Run Powershell to execute payload.
  execution
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

2

T1059

PowerShell

2

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Extracted

Targets

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2