rhadamanthys

General

Target

JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3
Size

803.3MB
Sample

241224-rrbccazlam
MD5

b3eeca164c17ac49a4331b958581a027
SHA1

203546af9583d10bbcabaeb6a920b34fc9b6c403
SHA256

e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3
SHA512

643e76ca3ecebe59f5093a64e35f486a7b0fba41d21dacc551276724d4f2ce1bf589add02d6c87428672b9f78a5342bb4063e928eae18f8e872bcafe1a9a7a9a
SSDEEP

196608:cXhlI9IqtZdoOzESU2oxIqtU6u5rP8g4fVd1HDqEvwtG8KZmX2R:ou9Iq2gGxFtU6tgUVrHuEVtZG2

Score

10^/10

Malware Config

Extracted

Family

rhadamanthys

C2

https://82.115.223.156:4924/d3a57c7e95391394/necb5kh1.3b9m5

Targets

- Target
  
  JaffaCakes118_e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3
- Size
  
  803.3MB
- MD5
  
  b3eeca164c17ac49a4331b958581a027
- SHA1
  
  203546af9583d10bbcabaeb6a920b34fc9b6c403
- SHA256
  
  e0745056c058f048f62d5a4793f01d333b6424787d9b749554bd8ef0c601b2e3
- SHA512
  
  643e76ca3ecebe59f5093a64e35f486a7b0fba41d21dacc551276724d4f2ce1bf589add02d6c87428672b9f78a5342bb4063e928eae18f8e872bcafe1a9a7a9a
- SSDEEP
  
  196608:cXhlI9IqtZdoOzESU2oxIqtU6u5rP8g4fVd1HDqEvwtG8KZmX2R:ou9Iq2gGxFtU6tgUVrHuEVtZG2
Score

10^/10

rhadamanthys xmrig discovery evasion execution miner persistence stealer themida trojan
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Xmrig family
  xmrig
- xmrig
  XMRig is a high performance, open source, cross platform CPU/GPU miner.
  miner xmrig
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- XMRig Miner payload
  miner
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Creates new service(s)
  persistence execution
- Stops running service(s)
  evasion execution
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Executes dropped EXE
- Loads dropped DLL
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Checks whether UAC is enabled
  evasion trojan
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Drops file in System32 directory
- Enumerates processes with tasklist
  discovery
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2
- Target
  
  #/AnalysesTolerance.exe
- Size
  
  615KB
- MD5
  
  6b0122cc3033b1258c4bc565c73fc7e2
- SHA1
  
  f9a25511ba54fed2042c589a036cda085acfeb20
- SHA256
  
  df15ba268f71ac5f302270f9d27983d8b2879a3e67bccf7567d5b99019107654
- SHA512
  
  ce1b3cc75e300bc0c99a4f9a742fd9700bdbd22539ccf3b67b0d4f24f77b145172fdfa19bf9fbef286067c3c45e6ee0c018de29ed4c68bf0daac3ef2055d0872
- SSDEEP
  
  12288:QIjqJwukZkvE7S4mUzKri5b2YS1xu+JVAL0IcoY5S+n7Hvl:17NkvBwKr02YcxNJVYY5rn7Pl
Score

1^/10
behavioral3 behavioral4
- Target
  
  #/Zerus.exe
- Size
  
  805.6MB
- MD5
  
  5ae9dd65a83740789a41006eb1552b59
- SHA1
  
  537ac421d0abc0d2582ed8c1b97b7283702d693b
- SHA256
  
  fa37d8e3ccdcfc1ab0b85536a509bc388181cf86923635ad8c52125878646bcc
- SHA512
  
  a6a6380cef7e0da0846ab668ec40ed13db9354bd9196abb64a0dbf0448579a36d4aba7e5f18a8968a74eb01123b440e043d683d14b415a90079d6a179e8709ae
- SSDEEP
  
  196608:CPa8GEvd/s9jv4PrFB7PXXpYAcBXW8VNHY1QVmETwm7ePM:9QPPxBZYAiZVN62mGZePM
Score

1^/10
behavioral5 behavioral6