Overview

overview

10

Static

static

3

bootstrap.zip

windows7-x64

1

bootstrap.zip

windows10-2004-x64

3

bootstrap/...er.exe

windows7-x64

10

bootstrap/...er.exe

windows10-2004-x64

10

bootstrap/...64.dll

windows7-x64

1

bootstrap/...64.dll

windows10-2004-x64

6

bootstrap/...10.dll

windows7-x64

1

bootstrap/...10.dll

windows10-2004-x64

8

bootstrap/...11.dll

windows7-x64

1

bootstrap/...11.dll

windows10-2004-x64

8

bootstrap/...64.dll

windows7-x64

10

bootstrap/...64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    bootstrap.zip

  • Size

    2.4MB

  • Sample

    250209-1ect3stker

  • MD5

    5034fdeaadb6602397f057c0bd921976

  • SHA1

    bf440e0021484e5f97d360f17c440b370f02a72f

  • SHA256

    a18fb19c7e1e805155fdd956e00046c6e492fce5b07aa1e21b688758ff8dbb22

  • SHA512

    3c862be09552b1ce75940f329c459908aa0948f31844cb5168305271bd4ba6b18a0567d682f778520b3a29bcbd99e801dd64ef96774f604a9f6e7662c78c052a

  • SSDEEP

    49152:YLkYF7Yh7tFZi+lNbhMlUbY+EKJAUo9FylgWK9TLX9vGPzXNwHVD15w+Dhi:z6GPb/8+EKOUiFZWKFzgzdw1BVi

Score
10/10
rhadamanthysdefense_evasiondiscoverystealer

Malware Config

Targets

    • Target

      bootstrap.zip

    • Size

      2.4MB

    • MD5

      5034fdeaadb6602397f057c0bd921976

    • SHA1

      bf440e0021484e5f97d360f17c440b370f02a72f

    • SHA256

      a18fb19c7e1e805155fdd956e00046c6e492fce5b07aa1e21b688758ff8dbb22

    • SHA512

      3c862be09552b1ce75940f329c459908aa0948f31844cb5168305271bd4ba6b18a0567d682f778520b3a29bcbd99e801dd64ef96774f604a9f6e7662c78c052a

    • SSDEEP

      49152:YLkYF7Yh7tFZi+lNbhMlUbY+EKJAUo9FylgWK9TLX9vGPzXNwHVD15w+Dhi:z6GPb/8+EKOUiFZWKFzgzdw1BVi

    Score
    3/10
    discovery
    behavioral1behavioral2

    • Target

      bootstrap/bootstrapper.exe

    • Size

      633KB

    • MD5

      a3d33d33f8b10595c252ee8e61a8892c

    • SHA1

      f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

    • SHA256

      fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

    • SHA512

      5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

    • SSDEEP

      6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

    Score
    10/10
    rhadamanthysdefense_evasionstealerdiscovery

    • Detects Rhadamanthys payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Looks for VMWare services registry key.

      defense_evasion

    • Uses the VBS compiler for execution

    • Downloads MZ/PE file

    • Suspicious use of SetThreadContext

    behavioral3behavioral4

    • Target

      bootstrap/tier0_s64.dll

    • Size

      410KB

    • MD5

      328655e0f2611479a90db044ab130373

    • SHA1

      d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

    • SHA256

      586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

    • SHA512

      8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

    • SSDEEP

      6144:3gOdWrN3L9iopicrVgNSpmbY+fNo809MmbtkrFCwXNmGzZ4gs7T3D3WG8dvB4h:3gOG3LEopVqYG2809DKriGzZ4g2rWwh

    Score
    6/10
    discovery

    • Downloads MZ/PE file

    behavioral5behavioral6

    • Target

      bootstrap/vcruntime210.dll

    • Size

      32KB

    • MD5

      e662eaedcdc123e8faa800badf9eb2d8

    • SHA1

      7b5c740dac76bfe48e9b91820e8c0137a3478cb7

    • SHA256

      6b9e9771c45824f7a04dde94b30b212d616faf7d9fec03a18a4a5c1e06d6b19d

    • SHA512

      8061425b994543d74ae308431d798242898504f3183c801e9abbebf7def63f4fc4a07732b514e757f28711ff1fc9964fcf131b4834fd1af194f55dc0f863697a

    • SSDEEP

      768:+E79U1OB0sxNInu6Vc+IlnNS5jswblqkla0j1m4mOluNZwGF:+EZEOqsDIu1ffSpswxla0j1m+W

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral7behavioral8

    • Target

      bootstrap/vcruntime211.dll

    • Size

      439KB

    • MD5

      e30e4d056fb726388e190ba5cbc6ac85

    • SHA1

      46adc2f5aec2dfb5f62ccedcd8f42974f3e010e0

    • SHA256

      86789151628c866cc415e4b218b96371cb294dc49907c30be2289b74e0a46f3c

    • SHA512

      d667d715d132cd28ccc50d9dc2b960f5a57a28742af5f8de36ececfa339ac581fcf6ec93531da380e452c33bc39fa2e7beb5199af6915c47d42fa30c1a2f682c

    • SSDEEP

      12288:RwnSZEKjeR/btgR8SiE5XuQiG3vkCHb+YH:RwnS+I75r58CP

    Score
    8/10
    discovery

    • Downloads MZ/PE file

    behavioral10behavioral9

    • Target

      bootstrap/vstdlib_s64.dll

    • Size

      3.2MB

    • MD5

      2af311d5fdb8df6250ee6681edea15bb

    • SHA1

      68cea60147b29ae47fd18d97698e9bcf6f713c36

    • SHA256

      c1cd2c6fd3c17d9e67ec45436064b911f2dc81fb2c32ece5ef9878b8af35dda5

    • SHA512

      b20a08a1690dac97c456acc1cd8bfe01b3310c490abee3063a5189f45e28e0ac116f313524b9ca5003b84e2cc07c090e28a9fa9240fa3e4f03d9cf1fe00240de

    • SSDEEP

      49152:wSN5WWMbW0m7Dng+arKHXKS2n4qBJ9X1LaYztS:FV4546S2n4Q9Fh

    Score
    10/10
    rhadamanthysdefense_evasionstealerdiscovery

    • Detects Rhadamanthys payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Enumerates VirtualBox registry keys

      defense_evasion

    • Looks for VirtualBox Guest Additions in registry

      defense_evasion

    • Downloads MZ/PE file

    • Looks for VMWare services registry key.

      defense_evasion

    • Uses the VBS compiler for execution

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Tasks