rhadamanthys | a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014 | Triage

Submit
Reports

Overview

overview

Static

static

1

RG Launcher.exe

windows10-ltsc 2021-x64

RG Launcher.exe

windows11-21h2-x64

Sharing

General

Target

RG Launcher.exe
Size

175.7MB
Sample

241114-zwnr8ssnhz
MD5

cb3ce412a9c4cb7f0cf20344fdb2f46e
SHA1

bed9b9bedfe2f7d328b66fd9c5914ad8fa0f69a2
SHA256

a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014
SHA512

5b92e1c448ab2f6b46c04d496207bbc843cb223db341ca493469907dc96206e02e9db95356fac6d75833c018d876417481c429b2def5dc9be54eec9cce288c26
SSDEEP

786432:0C6zTLvV+8ym5CqWpQshx4i9vnrX5hf9RMFJKaRODgJZhybxJXZdZdDIll3S+GE3:0fTB/P4Dzr9v/1iFIRDgtmxJp1O3h

Score

10^/10

rhadamanthys discovery stealer

Static task

static1

Behavioral task

behavioral1

Sample

RG Launcher.exe

Resource

win10ltsc2021-20241023-en

rhadamanthys discovery stealer

windows10-ltsc 2021-x64

13 signatures

150 seconds

Behavioral task

behavioral2

Sample

RG Launcher.exe

Resource

win11-20241007-en

rhadamanthys discovery stealer

windows11-21h2-x64

12 signatures

150 seconds

Malware Config

Extracted

Family

rhadamanthys

C2

https://147.45.70.184:1525/f6e80fbec866c8b43/AVS

Targets

- Target
  
  RG Launcher.exe
- Size
  
  175.7MB
- MD5
  
  cb3ce412a9c4cb7f0cf20344fdb2f46e
- SHA1
  
  bed9b9bedfe2f7d328b66fd9c5914ad8fa0f69a2
- SHA256
  
  a0295663c005e7515aa5d3ef0af36efbe4fd1dce9fb31609037c4eb0ab68a014
- SHA512
  
  5b92e1c448ab2f6b46c04d496207bbc843cb223db341ca493469907dc96206e02e9db95356fac6d75833c018d876417481c429b2def5dc9be54eec9cce288c26
- SSDEEP
  
  786432:0C6zTLvV+8ym5CqWpQshx4i9vnrX5hf9RMFJKaRODgJZhybxJXZdZdDIll3S+GE3:0fTB/P4Dzr9v/1iFIRDgtmxJp1O3h
Score

10^/10

rhadamanthys discovery stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Downloads MZ/PE file
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdiscoverystealer

behavioral2

rhadamanthysdiscoverystealer

© 2018-2024

Terms | Privacy