General

  • Target

    5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe

  • Size

    1.6MB

  • Sample

    241121-pyl2ba1hkh

  • MD5

    fa000351e26e17543f67e3dedc97d37e

  • SHA1

    c59fc4f489ac15d5a1d455abbf0c3c5ad6fcc189

  • SHA256

    5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350

  • SHA512

    1bf517f2b0d3c156c2850f161f4bedf735361a8951d807b05eeaa711a0720031e545d5dd56f46337f059ef18bea1523ec1f5a5b96e83d6380eb74e6526bd0025

  • SSDEEP

    49152:cpUlRhQMnbfKk8QkwCRYhtkp0d0X1zJ5w+ufya5h:cpUlYEfKk8DTROk6dK1l5wF

Malware Config

Extracted

Family

rhadamanthys

C2

https://51.75.171.9:5151/9640d96bbead45f349f3ab9/nvkjh5gq.0x2e8

Targets

    • Target

      5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350.exe

    • Size

      1.6MB

    • MD5

      fa000351e26e17543f67e3dedc97d37e

    • SHA1

      c59fc4f489ac15d5a1d455abbf0c3c5ad6fcc189

    • SHA256

      5f58e87fee021cbaa9ecfae2d5f8709bd0934b2d2d2779a8f24993425fb20350

    • SHA512

      1bf517f2b0d3c156c2850f161f4bedf735361a8951d807b05eeaa711a0720031e545d5dd56f46337f059ef18bea1523ec1f5a5b96e83d6380eb74e6526bd0025

    • SSDEEP

      49152:cpUlRhQMnbfKk8QkwCRYhtkp0d0X1zJ5w+ufya5h:cpUlYEfKk8DTROk6dK1l5wF

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Rhadamanthys family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks