General
-
Target
ROBLOX Cheat.zip
-
Size
14.5MB
-
Sample
250210-cjg3laykgq
-
MD5
9c1f4e9d860123b686a88bd39cb74752
-
SHA1
8241c3749a735621c2d21b68eab8b51d9d56f795
-
SHA256
7a39caf04d025428d5d9e5098fef74e22f59eee2c3686f676e235ae954b18b6d
-
SHA512
4fd4e7d7ae8c255160054bff2ef551bff8887bd038cbe568f3127b89ac9efa570d75d6271ecebe1e7dac74c27e99e10b82013cd9c984bf6b42c5ef63d3ced9f3
-
SSDEEP
393216:0XG3+iho0r4nMrJzrhHusNVDAyqQpYQSK4Wka8O:WtK4neJPBusNVWQpYE78O
Malware Config
Targets
-
-
Target
SoftWare(1).exe
-
Size
3.1MB
-
MD5
09776d1e6b458622944c21a37127d945
-
SHA1
55fe43db0038a411d1302b85cb1d8c61704bf2a4
-
SHA256
6718e20d2fcaed405be6cb6784e6df72d93e5449fbab18e4d2d1dec5e2efde0a
-
SHA512
e530a84c2bf855f8ed7ec667f12dd738c0af4a6f63efb861432065634d4d5afb5e8369d28e1c90753efe5ed24bbf384ac5e20819efdc3b73735a31fce7e83d07
-
SSDEEP
49152:SZQQYNwNfHO8dkHOL+/4n5TlqmjPEY5XlPHXc1jbIEXVQ7IiVVNSrUWTKtOd/o06:SdHSwn5eY5V2bd8b
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
SoftWare(2).exe
-
Size
895KB
-
MD5
a16e394f67d91eadb2f3b63feae0f6e6
-
SHA1
37576b86112a7ba68d673483d752d92b53c3314d
-
SHA256
63226615cf004ff25050875bd27eed6bcd095e9ada2c4e428496eab1fd2a5f2c
-
SHA512
cb9d4b5a3ed1792c0bb1e1b69894e432bcd5df6234affb56d0c80ef4dd3bf06936982f3b80d99758dac910ccd5d5144b1d3d2ff9b450d24b3a827693290e5508
-
SSDEEP
12288:Mx8+cf8nEU/ofJlKeNi16QksdziFwV++cf8nEU/ofJlKeNi16QksdziFwVTJ:w8Y/ofJlPG6XQ+Y/ofJlPG6XQTJ
Score8/10-
Downloads MZ/PE file
-
.NET Reactor proctector
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of local email clients
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2
-
Obfuscated Files or Information: Command Obfuscation
Adversaries may obfuscate content during command execution to impede detection.
-
Power Settings
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext
-
-
-
Target
atom.dll
-
Size
3.1MB
-
MD5
1569785bfb346bca69521f03a8725f41
-
SHA1
0197e299cce7adb9856e2f0d458c4f995898fb55
-
SHA256
9a89cf1428bbba42ea97e747485eabebd0f3116e9287fd8bbe9e5e383bc91d98
-
SHA512
648a98491358bd73009354f418f782179c19489be7d4383e726c965ae2f9016006144a9d40fadc8ca6ab65c3883897f5a0dfb884580ed6699f30144d5c931ff4
-
SSDEEP
49152:4Z294FkBxwSfyRzgsbbAf2F1b7521Ire5AT3:4iQnAfG1P5Ze23
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
brand.dll
-
Size
204KB
-
MD5
916d89b5d24979190fd8b5b5795230a2
-
SHA1
42515c9b2aa015be9a3c8942b76bb119ff1c318a
-
SHA256
fd6bfe231d47a831c5e0f8a65fd264636710e30f5c611176de2b341d92f12df8
-
SHA512
c9a6909c6f781d974282f62824b9f2cc21bbc8c11fc03c09c40d97295ea8977c31bb11c0cf2eae2765ecd6e8a9e67b57345a20db85102339ac5b49200301077c
-
SSDEEP
3072:yyN5t1veJLGufnflehMvmldBTlqlAO/bmDx3g0RDlYSkEo3z/VrTsyFqug:yyfvveJLhyMvmgv0haSe3z9rTsyF3g
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Uses the VBS compiler for execution
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext
-
-
-
Target
concrt140.dll
-
Size
325KB
-
MD5
eb42b164d603672e07997019bb00e4ad
-
SHA1
9f73f2323b167215874a7d3dd4a7f7750312f219
-
SHA256
dabdb0732b2fc14040cedbbfd369d9eb3c7a2e66b38a79892e1c05e6d6a8526d
-
SHA512
1e74ea24bfcaa5dd1ef0654a45f96c99900dbfca406bcfb73ae3abfdad7c1d0d12e773817a9ab3fd8d1d927a85d5fa6447b3c521192dccf33957f5bea00b3cc8
-
SSDEEP
6144:1ndGd0wl7XIbBx5C9YtkO2MUWghMWbGynWzgcZ6rO4i47:zCpIRC6tcG5zKiU
Score8/10-
Downloads MZ/PE file
-
-
-
Target
encoding-conversion.dll
-
Size
28KB
-
MD5
b0f21ea663476cbf02a93b8de7152586
-
SHA1
b6253d151a6d88ecf7029e79bbe4737792dfa79d
-
SHA256
249e70a3bf203692e2212ede45fdefecafaede7ab9fa6cefcf02a65f0e14cbe7
-
SHA512
59fcddc5b4a87efca72a9a7c1252701c57ba65c656958d9c0a5557c3ffd049fcfeb10d6ddfeca8e33171cd269c03bb19ecbb5e7e9a25e664e1b26c81211db1c1
-
SSDEEP
384:FibcYRa//wXJg3s4h+hh0cTGfZihL0cTGfZVhm:jCLOph+hhTwiNTwVhm
Score3/10 -
-
-
Target
icudt68.dll
-
Size
19KB
-
MD5
994a66f27812c53d3f5bd8336b4a2aa4
-
SHA1
e4575dd22d14cd9704d0b34d2d0ddeac54c90637
-
SHA256
ce1ba6d19bd4842fb54daf9d929208b3840ec98e3a135bd89008dd9312f03894
-
SHA512
d2ecf75afc628026e0f10cd58869cfe8b7dd85e401b544a9e5b0a3a26e5518883b3d5bd03160301b4d927f20b983b403fd514a7c7762b70ba19c9feb9258f3f7
-
SSDEEP
192:tSU/lU0TBZHh0Fg2kAdGlYqufZnixMa4bbP0Fg2kAdGlYqufZnltBZHVd:VtVhh0cTGfZSMPj0cTGfZ1hX
Score6/10-
Downloads MZ/PE file
-
-
-
Target
icuuc68.dll
-
Size
2.1MB
-
MD5
95482a6a29f2d531732294b10f35a684
-
SHA1
7bf324f137d085d7ff5431df0d12208f42b8217b
-
SHA256
5f56fea8807d97052e8dfe3bb25baf7ad0200d7cb288a8b3e9aef4d8881367b8
-
SHA512
4f6abeb8a2227ab30ae9aaa131408d1f6d737f38a1f0ef1b691cd20c40b756fdafa94bcf5413f49bb251187166574d03601e809601b487d6327c407034e98bcd
-
SSDEEP
24576:LE4CsQBmuuq+7QJHOqHsEehOB1TTCbKJM9lo736S1GBAdtkjsyk3lIkkp1sTf9wY:4sQ9+qHOIBehOB4mulo736uGCrykVYlO
Score6/10-
Downloads MZ/PE file
-
-
-
Target
libcrypto-1_1-x64.dll
-
Size
3.3MB
-
MD5
5bbead1078ba0b07e0766eb2426167eb
-
SHA1
c3443ea0a003268c022225e9b85c6edfb2c09607
-
SHA256
0cfa2871aa30c9e047a8f5266b31f548b343f15244d26be26bb2a070b5655237
-
SHA512
55b98d8b57bf06ff9718a73dffb11a3c666c2ba24964b8a9b3c540d4faa22e3aa5dd284795b97375edeb845b7b83dca89bcc97d44c2f66886d5c5b56ff532902
-
SSDEEP
49152:aVwASOxVIU6ix4GtlqcD+edG2uGAxq+qJhT/XtJl7Ec6YBE6yPBsosKL1CPwDv3G:0y+/rA0lBvKsosQ1CPwDv3uFh+2
Score3/10 -
-
-
Target
libcurl.dll
-
Size
449KB
-
MD5
f17bbe4b592ef5e2e5563c90aa6e9477
-
SHA1
836f12ca42b151eda66e542c8f81d965e377e7eb
-
SHA256
77208031dc7fdae3fc6bd8e2dd7173b740ba8527aa37bfd1774fa16ce26f9290
-
SHA512
5bbec8fe82bf7a9e719040064e1ad7940e44e81ffb5c7d9f4d320477e4a14050d632c8003a85b081d7923d90722b769c0bf0a602e191389eb1ae318b3a6da4fe
-
SSDEEP
6144:EPTD6DxLdMoND2/RNMPs00bqRv/suZN/RgbyR/Z79TBtgNS:EPHWxzNi/UzfXBN5mk9TUS
Score8/10-
Downloads MZ/PE file
-
-
-
Target
libssl-1_1-x64.dll
-
Size
687KB
-
MD5
70d81d5cdf48abebc6aedae38aec704a
-
SHA1
9346878ae8a259192a65a750ac033819d7326501
-
SHA256
49fe8b7f1580290335970b79d772f7fe91eaaa711068be86d7500213506afcd8
-
SHA512
f5226795667cb6731bb3b47e8da5a1999201c0a4bbfc74652f2dabaa106702de9828f6a04d64e54742f21b2bd7564e6bd86dd9c7b12a2e2084e8c20e66a2b9dd
-
SSDEEP
12288:wKaRK32Hgz6g1MI7t0pXDtfzeC83bZ0DoumKmqLh4YodAfvGw5U2lvztG:KH0MI7t8EuaO+dAfOEU2lvztG
Score1/10 -
-
-
Target
msvcp140.dll
-
Size
603KB
-
MD5
a1d30ef2114e18e26e2bb96555be81bf
-
SHA1
a5e3e5a5910dd0781caf0a9f58dd7b519de8c927
-
SHA256
f87819ae8c6f7c90d3237a1abb9809e8cba9dcd0c80ac3f0969a5e68ef652ca4
-
SHA512
5c5bdae87327b3fb724844087257a0ba0e7ad31c194ab5f632845e8f09633f63982817ca551d1735523b1a65763efa3c2ddc8789b3bf23324d7882456e3aa6f2
-
SSDEEP
12288:ttc7Tg4ObbZu3JZfzeUQEKZm+jWodEEVTMj:U7Tg4+Zu3jJQEKZm+jWodEEVMj
Score8/10-
Downloads MZ/PE file
-
-
-
Target
msvcp140_1.dll
-
Size
30KB
-
MD5
a0b595f95be9cce12bff7ef199f874c4
-
SHA1
7fc5f91033cd83f11ce03ab2478d9b29036e6535
-
SHA256
b05f3dfd4e999c3e110219fb59151cbaa322757f4f3ce52b64dddc853e5c105c
-
SHA512
182a0cc4227afb43228ebe5033977fcfb4c8ebb2f047d2decfab8f33453fd2262e62dd80b2b0f34cded9a8ee784d7449120a000aeb1949642bdf8cc563282b8e
-
SSDEEP
384:6i/3lk2SyA04U9Kqnd5ZWcR5gW546QpBj0HRN73YxQHRN7MCMlvz:bObyl4+Kqd5DPXqW3Yx8A
Score8/10-
Downloads MZ/PE file
-
-
-
Target
msvcp140_2.dll
-
Size
198KB
-
MD5
bbcf50b71928edb1c32c969d0533753c
-
SHA1
faca1db3873d478b17fc6791b94fae651202627a
-
SHA256
7d5d180c8e41b1964835b2550191e2d9054d8f4beff898ade67b3d5dd25b5101
-
SHA512
e3890679d21e76a19361cc181eda9323ba31fb1211124e40fa3c9834cb0bfab6f7b3b34cf349ee4d7b3cc10e50813ae728dd01dd254eee098f3971f07679d710
-
SSDEEP
3072:0m2dow+wS2vEYFBeoVM4ZaeEQDjQdA05+TiIfH+YKpHANGbaQLvaOvV:0xhbBFBnPZTL0mfiAN9Q7aOd
Score8/10-
Downloads MZ/PE file
-
-
-
Target
msvcp140_codecvt_ids.dll
-
Size
26KB
-
MD5
e42f86965ceb093d95b9c93bd87b179d
-
SHA1
4184b271261b3eb9c0193e5e6874b8847b18dc22
-
SHA256
1e56cee876940affe9883aeccee9132280d03fd4282ab6552adf75fbeeed2bac
-
SHA512
6b355d468fd8214cf50cef7d30a9098c812b60f0215726da937361e0cf2d2b8362ae5bc2b88c5e8dd48298c13b1be1a52d7f68d075c2a8d9c93480354b0e8420
-
SSDEEP
384:OTDpEPOCAbHWi/EWz46QpBj0HRN7bX8QHRN7ep1x09lT9D:qNEFa1XqWbX88epQD
Score8/10-
Downloads MZ/PE file
-
-
-
Target
root-service-provider.dll
-
Size
590KB
-
MD5
d991901b3fb8228b3637e4483cc36260
-
SHA1
57e769738c10ca5aa43de3fa20883fc49acb9922
-
SHA256
e06e2da83d8506522be3f269941408373c70d10a1cc6072a9110db9615ebb176
-
SHA512
c9fafe1133fde3e4fc36e70b97ea152bf8728f6a1f1022be5f1f98ccb550c98e272f3510b7c18f6168119a9c45b1ce79920ae5d93261eb765f162dd483cae232
-
SSDEEP
6144:DLfoRIJ9O2qXPKTG1KyK63fGMEfJ8MHPxpFjYU8a4Z/u/lWbTO+FIIZoMhNdLkLe:gmMEfJ8MHPxpFR8a4Ru/lWbTZF/ZoDNY
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Uses the VBS compiler for execution
-
Downloads MZ/PE file
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3