General
-
Target
goodboy.exe
-
Size
860KB
-
Sample
250221-w8fqlsxkas
-
MD5
11ad0f71caabbadba8ca08663690ca39
-
SHA1
2dde6d4b02f8121c7e79af49ff524b96e62fc708
-
SHA256
861f2c5f07c9e1c7d24c2e34eb47ff3129cd39a2227a2549809b9d5c92267883
-
SHA512
ea4e66ea0df09c2f4ae90731ccf06343b7ba3066915f234858fdaee39cb39dc681ebcc9b82ccc38ab146330b1fad2cced798d0bf694ec9d31d963abf789c7a9c
-
SSDEEP
24576:I2yEGU/CgPh3wl0oKEJKpSL3MG6/2ZbNy0:IFG/Cy5poKVpSTn
Malware Config
Targets
-
-
Target
goodboy.exe
-
Size
860KB
-
MD5
11ad0f71caabbadba8ca08663690ca39
-
SHA1
2dde6d4b02f8121c7e79af49ff524b96e62fc708
-
SHA256
861f2c5f07c9e1c7d24c2e34eb47ff3129cd39a2227a2549809b9d5c92267883
-
SHA512
ea4e66ea0df09c2f4ae90731ccf06343b7ba3066915f234858fdaee39cb39dc681ebcc9b82ccc38ab146330b1fad2cced798d0bf694ec9d31d963abf789c7a9c
-
SSDEEP
24576:I2yEGU/CgPh3wl0oKEJKpSL3MG6/2ZbNy0:IFG/Cy5poKVpSTn
Score10/10-
Detects Rhadamanthys payload
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Rhadamanthys family
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Executes dropped EXE
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1