rhadamanthys

General

Target

JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b
Size

667.6MB
Sample

241222-dvfvca1nhv
MD5

704dad032c247ce0ddb037c27ac358c5
SHA1

d2af314d8693db03c2ec0b3cc66ebda55ccf80d2
SHA256

e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b
SHA512

5a9800431b3bf059c1fbc7d62d05e805f53875c7b63017f1f839497bcff4134b25c39a3649dcddaeb276eadadf27eda0254503b8438d0ddd98cd56dc4920714a
SSDEEP

196608:ceO6VjdBPBa7IwDaLIYSRSMHDeNhFw4F0sT2cQimkTGgQGh7CaLtuU3:cdQdBPBOIw+cYZMcTWw2iTlQG5Caw

Score

10^/10

Malware Config

Extracted

Family

rhadamanthys

C2

https://5.42.65.27:4811/503b2b901476e7a26b7/ol44lvqn.34hvk

Targets

- Target
  
  JaffaCakes118_e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b
- Size
  
  667.6MB
- MD5
  
  704dad032c247ce0ddb037c27ac358c5
- SHA1
  
  d2af314d8693db03c2ec0b3cc66ebda55ccf80d2
- SHA256
  
  e3fd476c456d416be8a553a87b195b94a74275b7e6ef055709f489dba330520b
- SHA512
  
  5a9800431b3bf059c1fbc7d62d05e805f53875c7b63017f1f839497bcff4134b25c39a3649dcddaeb276eadadf27eda0254503b8438d0ddd98cd56dc4920714a
- SSDEEP
  
  196608:ceO6VjdBPBa7IwDaLIYSRSMHDeNhFw4F0sT2cQimkTGgQGh7CaLtuU3:cdQdBPBOIw+cYZMcTWw2iTlQG5Caw
Score

10^/10

discovery evasion execution persistence rhadamanthys xmrig miner stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- XMRig Miner payload
  miner
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  ⌚/fdsiojfoidfijo.exe
- Size
  
  667.6MB
- MD5
  
  6275b270b90311b7584df37d6034a570
- SHA1
  
  3d3b2733f95312f9d218bbc5a618821e3d041c17
- SHA256
  
  57a3353ec82917d2d8bd7eb5215b6768c116cba867050be876268438834caab2
- SHA512
  
  a6cfb5824a4c5a4db1ad9a8213fc3130fc01a3b4359b1223f7b49be0077e960f3eb882199d10dd937cb2412a0613c79617f231de66ce1633f1f76d6c94bcd075
- SSDEEP
  
  196608:hdlHKHWSIVYpWKZamMjwSGNqnSigvf/tsvn7UE4GLRpH:UHWSIVQWKewSG6SiXf4Gr
Score

1^/10
behavioral3 behavioral4
- Target
  
  ⌚/hsdfhsdfhdfh.exe
- Size
  
  1.8MB
- MD5
  
  6f92710c9fb6ffaea0f8f729d3701ce8
- SHA1
  
  b5f4f0f3ce2c00610fd94af992ff8fb6b7011573
- SHA256
  
  14ecf989525a7199df79213a3d057c4478233af54ff99493a80c56324de3495a
- SHA512
  
  97db038d2fe744789a2fb7b3ebc58a25b76aeab0785f33a3aeb00db37442beda69db69308607617f04969606bffa390e6504bfebf4163d5080a79f04e9baf9fd
- SSDEEP
  
  49152:ofkr+4axlGPqUgu/MAM84PDjoOUUFxOg1gQ2:SxISFgOU0X2
Score

1^/10
behavioral5 behavioral6