General
-
Target
Xteam30.hta
-
Size
22KB
-
Sample
241101-yrywzasqds
-
MD5
e4d9fac46b74d05a7110d922393c53b5
-
SHA1
58e4466d4db0e9dbeeba589e785c095da4be28b7
-
SHA256
1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
-
SHA512
2859aa9dcce959e03ca99731ec74a04cc439fa9494a208677e1e471c702369ef72151f8d11dbc25c4001b9dc0d7b956c6526d324ea0c1336cdf6505e347cff54
-
SSDEEP
384:AewZKDUSPiVrmsDe8OCuCLfiOEUgPge2uwb7Gw7D+fFU0:fwuKNACtfiOEUgPge2uwb7GoD+e0
Malware Config
Extracted
rhadamanthys
https://51.75.171.9:5151/9640d96bbead45f349f3ab9/Xteam30.api
Targets
-
-
Target
Xteam30.hta
-
Size
22KB
-
MD5
e4d9fac46b74d05a7110d922393c53b5
-
SHA1
58e4466d4db0e9dbeeba589e785c095da4be28b7
-
SHA256
1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
-
SHA512
2859aa9dcce959e03ca99731ec74a04cc439fa9494a208677e1e471c702369ef72151f8d11dbc25c4001b9dc0d7b956c6526d324ea0c1336cdf6505e347cff54
-
SSDEEP
384:AewZKDUSPiVrmsDe8OCuCLfiOEUgPge2uwb7Gw7D+fFU0:fwuKNACtfiOEUgPge2uwb7GoD+e0
Score10/10-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Adds Run key to start application
-
Command and Scripting Interpreter: PowerShell
Start PowerShell.
-
Suspicious use of SetThreadContext
-