General
-
Target
-btStrapper-.zip
-
Size
112.7MB
-
Sample
250210-zfe56axlf1
-
MD5
83eca0d623c3e29a3b43fb1f2817df4f
-
SHA1
5c7cc3f8fc04f2bab635d33b9a7eea461cb00587
-
SHA256
536e8b1207df3afebfae5d4d9f19e33948c04967c322ae1c02fae00bc3695346
-
SHA512
2704c0f55ba55a04016ac59d9441ebced889e078245f68108e1a0ad98b624a9224b76ff8fc626b22c09302a3fe2147af7f845a8560bb9ac87cb412aa0dc954c3
-
SSDEEP
1572864:f8mOnpSsJe8FMY/eGQl2zJYFdCG/zGSQkild9TE4kaWeQi3kR+pYb+KqDlH:f8LHLFaGUaqyXV44kaWi3kRPjqt
Malware Config
Targets
-
-
Target
bootstrapper/Bootstrapper.exe
-
Size
117.7MB
-
MD5
e7e6cc81288e3b35d2efb5f6846c1ec8
-
SHA1
c73545e645192d8171be823385ac345ea96fc0b1
-
SHA256
a501e15cc6ca645b0c690d07cb83ddea73daa3660ddb82ceb8ee20517deabf79
-
SHA512
d39514f656d1ca8a52d8599a8bb1f776f2cf0eb220782c1f8b7a526ba1f3e26d959096fefb867012df8f401d13b330be8fb69f43fb04c42bd764a936ec1d330a
-
SSDEEP
1572864:/idzDXWP7g6zRByS9LnLgZNcRLYaxgC5gbu:imTCW/LYaxBgq
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Uses the VBS compiler for execution
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
-
-
Target
bootstrapper/LICENSES.chromium.html
-
Size
4.4MB
-
MD5
ceadeb2ef45d9689c77dbd491343df4a
-
SHA1
285147815c0c173ab965a3aefa2738d87fe02113
-
SHA256
7c40e8639f24a7f2a509cb4782f79848c9af1dc985f17a09a6d2b8de3518271d
-
SHA512
99475ae5e9d41081efc4aa8b710ce31be5c0960507ad9ffff90bde8bf2d38f46e34a1db7a17369a618199598292bccd0a2b590f7282bbcf886151f2354fd7a50
-
SSDEEP
24576:cwEBqmnLiLRK2BrArXKzCXkUZZAwi7Qx7uj:1cqmLAZNe6Whxe
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/d3dcompiler_47.dll
-
Size
4.3MB
-
MD5
7641e39b7da4077084d2afe7c31032e0
-
SHA1
2256644f69435ff2fee76deb04d918083960d1eb
-
SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47
-
SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5
-
SSDEEP
49152:aYlc/220PPiMLKam+VMrLi21f4i3jn5ZO3XUDmOZQwVd2uQpN3WsGVUWd55i/jrs:a6KD2Mrdaix4NQnLt
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/ffmpeg.dll
-
Size
3.8MB
-
MD5
bf759c99c1f327c821fcf193239bed34
-
SHA1
e541b6baaa86f9eec7eb296985d367f1d61ff13a
-
SHA256
183cd7011c36648ee6dffda0e4bb8042d5ad5db69c1c69a016dcd6412be3e8fb
-
SHA512
f061920dc2ff2c17dfc023e90c88dca45fe76bfdba6d3bea5a7406dd4ee7ba84b9b1ce4c13afc8e344b4f0cfcab62ad5e9980d07f95769a97d169900fbf56650
-
SSDEEP
49152:sn/DoMHCR/shZ6NecOjg7J8hoREUq3mdNJHKikD+o+1HuhoH5HDDEDMZAYXRfGeo:SCDouex
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Downloads MZ/PE file
-
Uses the VBS compiler for execution
-
Suspicious use of SetThreadContext
-
-
-
Target
bootstrapper/libEGL.dll
-
Size
428KB
-
MD5
d9708d4ed31a54a670cec0299bcf4711
-
SHA1
23fe87a0b975ab642f61f9c8cb7a446028718418
-
SHA256
f3376b515a8e9d258c578c77d7b0b438db9ebae5f3a9e4738d26d216033ed9a5
-
SHA512
3daebac8c00ceba8a197a4e0ff0aaa14bf166f1a2f7f96abf8e71915b82d2cf73ff6bfce2e3eac6dd3eea1bfa32625dec12e65a104664d15dab4246b134589f5
-
SSDEEP
6144:mY9Lb+XOh+hzKL+ptr9kDMp6pd4JIXOiV:mILb+XOhGKLq4d4JIX5
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/libGLESv2.dll
-
Size
9.2MB
-
MD5
ee4da0f38de586e1634ac42fe0ef84ea
-
SHA1
f80c3b1b9f43d88f3bdf3b1061939de1478df82b
-
SHA256
ead770305e7a25c88eb2809e901d40ce876d7cd8003f47a79bbd760e2c070896
-
SHA512
9791151a9c2494cbd6b1bb89f7c61904170f362db352b8d6a0f1533997805ce6db87cd4fe40ee571642822ea91446ee9e03c58c611b1f853e5de9811d100d0c3
-
SSDEEP
98304:U4lfzYMbCZTXEalBkICxa8WGyWhk0P93Z:U4lfzYMWflBkI6a8WKy09Z
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/7zip-lite/7-zip.dll
-
Size
75KB
-
MD5
be4da8dc077889cd31deee3016c568cb
-
SHA1
b91e1ed8ecc28302c936adbb82ad600790e70352
-
SHA256
8d99a3fed7dd3b124a90330d33bffdf6f3ead4902dbd5fc9730d9bcc272641bf
-
SHA512
afd0841db04a3c2d07bc1b5a4c30fcf4124fcb054a4c4eb27e20f9d85c5eafc702579a445a614f0080438054b098ce1ef0fe141219a9aa6ba824d6c2fc5c5563
-
SSDEEP
1536:4IQsNOa3MZJQ+qBMrIVKpDx9B+aDdZKVNv4oJc1tP6CEFSVHaQZcDNhr9:43sVa2+qBmIV019caDdZKVNv4oJc1tPg
Score8/10-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/7zip-lite/7-zip32.dll
-
Size
48KB
-
MD5
8b34de1a912240987b891033c947516c
-
SHA1
24fa9ef555c4e94594c69612cf09ec53877fba7a
-
SHA256
75751a7989634f494504eea374f22aaad904f3f43d256f0fa623ec26c982ab32
-
SHA512
b8556ff9f314ccff0161295f06d2770e51ae64b88eaeb556d9d3ae73458d16a81118dc73729b7d4ad3dc89f6137561850a5c19aa71f824b16e929baf3b52ef3b
-
SSDEEP
768:Umzdqy2TuoqlIjOKQ2LZZHNt7PJTt1ETAnb4gmwH5hHcef4jWgrT0v82lmQ3hZK7:FYTTEqOMNt7BTXETG4nwHQegjWg3J2li
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/7zip-lite/7z.dll
-
Size
1.5MB
-
MD5
a569fef45f7a1ce267f4066f1cf429c4
-
SHA1
9f5b5b1f8e76a80033a3b31a7c56cd451662cf4a
-
SHA256
5f654cbc268aa7b8d73d3c1d85bc605cda2512e4138418b45bd8815548d27603
-
SHA512
e4d2841cb0b4f7d8489cdc9e4262b1530ef4e29c19c34cf1742744eb9cf20b4388e0c281fc4682ad860e48b71bd14bd73ea2138e0336578e06dd582e832d7aea
-
SSDEEP
24576:o4czkDedfng0j/klF1RzkA3OV8uAsZaOKd7R98:okDedPJQQ+Rh9H
Score1/10 -
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/7zip-lite/7z.sfx
-
Size
186KB
-
MD5
9b6b0267ab36f41cc365ca44c9724f19
-
SHA1
f37e7955e7cef06caad33200d60a6d51b146970e
-
SHA256
3d617c97da6d94612ae029fbc54da6a9462ddd67953e7b55f5ef1a00aa2bf805
-
SHA512
b58ad76f30c5acececc64ea9d540111e2ba794601c484d04354b641ad44bf4a904ff241647ba94a503731909a23b47fc94dbf7fb819d05e1344d083319dbae1a
-
SSDEEP
3072:RTcZSOqHDiAnbznlP6U3VNURjUDsXKYy/WE51/nsAAAAAEuIGZfWV+s669Ir:NPdpyAmRj2AKYyxNZf6B9I
Score8/10-
Boot or Logon Autostart Execution: Active Setup
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory
-
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/7zip-lite/7zCon.sfx
-
Size
167KB
-
MD5
fe9c477ec486bcbecddd7e704b72c74c
-
SHA1
7d71a6ff47f318b00d2e6d98708d1d1baa0a0428
-
SHA256
4984e805b6343c49de08cc97165f82a2b6bf736836aa10ff361ac90a63ff9ac0
-
SHA512
0b293da939872ad06ec7f84cd5b3e130bf81f7757d659ae7b658db5fcacf272c01d68f2a4b004d224e014d106f733c817bb5f5dd02322297f8fe45ca1ab59c96
-
SSDEEP
3072:vypJsiAVpATAaY7OwkVmPA1DCKAAAAAEue1bBAGwuRg1/:m4AnRwkVJbBAluRg1
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/resources/app.asar.unpacked/node_modules/7zip/index.js
-
Size
274B
-
MD5
edd004819fd363e726d39591b3425c38
-
SHA1
06216d8cab48a35cafe789812e6b699424803945
-
SHA256
81a40ac12a0bfa2fd9e7ddcd67152482d172430b3711f1d25b00c66ecad53435
-
SHA512
d7bb577f9113d7a962a96cd386ea0453286733771a75680b6392e7c5157706b3cdde69f0c2b9a88efe9c27ee0da0495d99301d212a5291b023056873bafd04d9
Score3/10 -
-
-
Target
bootstrapper/swiftshader/libEGL.dll
-
Size
454KB
-
MD5
bece984ec1b5cf0c936b03488ed035a2
-
SHA1
42672d98362521a2d0a0da4ac750079b6e45c582
-
SHA256
bb90cc33e368654f57b08c9d2a4ebcf8e723757b997dc60c55b9964680071ff2
-
SHA512
2ae39d4fd3ad7f01b1f12b7b1df3366568e84c0f8596241197c1e9ca5cdd44ee1a706b9dea5f53121d2c00cbd9dcdfb97a9c41e7afbabfaf675cd7e7699d1f30
-
SSDEEP
6144:QrpgAync0FADrx8k2Rgs1pKp2jwKpIb+LuTO5c:D3c0FADrx52LK0Ib9C5
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/swiftshader/libGLESv2.dll
-
Size
3.0MB
-
MD5
30f7a174e44be1fd6fc9e24b05edca24
-
SHA1
6356342fea69d182efe019f388e7169a3ee820de
-
SHA256
c13b6b090847741433c50e229875100d7a7debb20940fbf99e287f46379c1371
-
SHA512
c60878ce10e536f797894447cc0141e19af1aa1386c3d7a57e3904f3d5a40e4e7bb49c109fb2b61cc5bbd7ef1be6cf38a37447a97ea88efb826a0584cb97e508
-
SSDEEP
49152:93o1NYAyXqUQR1R3q0NIfm0phtZFYnMHZUYDbhgnmBVrRCWZPeEaYeFQtmICLP:KUJvXtZun+FJHeF
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/vcruntime211.dll
-
Size
439KB
-
MD5
6369e17c0bf52e1c1d96f109fbd9e664
-
SHA1
f5aceae85a252ac45dbdef123148a37f1d7455a9
-
SHA256
20229e25730155a6c03f4d87de3a811dc25d3823762f69038ec0e4f0613ef856
-
SHA512
675c99cbffd06fcfef57c66dafdc8f3e1cad556f05b9cdb004e08e2dfc7e66117f59f192d6af03951382a14a642acdaa37031f03a71fd6b6ce619b5d465e9cbc
-
SSDEEP
12288:lFUEN16Irq1v/G0b+lg+ULHtlbgegCY5Ihw7oel:o416Rv/LBNgLX5R8el
Score1/10 -
-
-
Target
bootstrapper/vk_swiftshader.dll
-
Size
4.1MB
-
MD5
406ff7be5d14ceae348f25df46897208
-
SHA1
4299a6c01c36a4056592b9b8c638bef6da3129fa
-
SHA256
172e614e9eb8d240e4c4e6db54d4a026120cba2eb4b85b0772fcef09e2ffc44e
-
SHA512
8f6249201a2e6c2e3d355f3e714984690ca00d8fcb0d4e9fee402c122da8ce2e9d814a46978cdb6ab35f2675a0ebccd764091491143e7354d7ae3b35ed93cd0d
-
SSDEEP
49152:UD9KakSOUkzu81pxaeTyfqsXYoobAuK1LTwdkOCM+e80sCz/b9lLN/L+lfpNaOZf:U8KJ65PNd8Cf6ilEilk
Score8/10-
Downloads MZ/PE file
-
-
-
Target
bootstrapper/vulkan-1.dll
-
Size
695KB
-
MD5
46f9737c207c4c760b4fe6fa9a57de0a
-
SHA1
23d55bbe2048ed052f6fb60030652d472cc77fcc
-
SHA256
46f43cb79dc9adfe870a40710832dbca9b85c4033cf6c18674153575d82bf4ca
-
SHA512
cbb741dad623e974ba2ac16509c35baaba3994176f9957ea94238759935fa0a12d86d55226a61ef1219632a1e59cdc533277ca2f145b95984573a040b41b363c
-
SSDEEP
12288:284scUI5Y7nVJ3DJmSnXLn42ICkbBoiao5p:2BsI5gdNBLnhkNt1v
Score1/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Active Setup
1Browser Extensions
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Active Setup
1Event Triggered Execution
2Component Object Model Hijacking
1Netsh Helper DLL
1Defense Evasion
Modify Registry
5Subvert Trust Controls
1Install Root Certificate
1