rhadamanthys | 5ff55b93a1e7df7e5f0cc6403292f078cd7b5d0e369162083d24cffa9b0ab5b7 | Triage

Submit
Reports

Overview

overview

Static

static

1

launcher_p...34.zip

windows11-21h2-x64

Sharing

General

Target

launcher_pass_1234.zip
Size

105.0MB
Sample

241009-d81rns1hlp
MD5

add38a069ae17cdf99141bddc0a0621d
SHA1

9f7455269638c489e97fc094e4b162d05739adc4
SHA256

5ff55b93a1e7df7e5f0cc6403292f078cd7b5d0e369162083d24cffa9b0ab5b7
SHA512

02054aadd0bb5b7b01d18bd39140608c7420a223886b831d64f78d7b988a7611f8a37a154ca869038b8106c39b3537a4f8886dc3786efee9f4bdc7ea1b5b05a3
SSDEEP

3145728:C6ZyPeW26Ff9B8s4IjWcLV+dpKTt8ZfgD1ru:KP5FX8bpCOpuYfgD1ru

Score

10^/10

rhadamanthys discovery evasion execution stealer themida trojan

Static task

static1

Behavioral task

behavioral1

Sample

launcher_pass_1234.zip

Resource

win11-20241007-en

rhadamanthys discovery evasion execution stealer themida trojan

windows11-21h2-x64

23 signatures

600 seconds

Malware Config

Targets

- Target
  
  launcher_pass_1234.zip
- Size
  
  105.0MB
- MD5
  
  add38a069ae17cdf99141bddc0a0621d
- SHA1
  
  9f7455269638c489e97fc094e4b162d05739adc4
- SHA256
  
  5ff55b93a1e7df7e5f0cc6403292f078cd7b5d0e369162083d24cffa9b0ab5b7
- SHA512
  
  02054aadd0bb5b7b01d18bd39140608c7420a223886b831d64f78d7b988a7611f8a37a154ca869038b8106c39b3537a4f8886dc3786efee9f4bdc7ea1b5b05a3
- SSDEEP
  
  3145728:C6ZyPeW26Ff9B8s4IjWcLV+dpKTt8ZfgD1ru:KP5FX8bpCOpuYfgD1ru
Score

10^/10

rhadamanthys discovery evasion execution stealer themida trojan
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdiscoveryevasionexecutionstealerthemidatrojan

© 2018-2024

Terms | Privacy