rhadamanthys | b37a0a7ff6ad23dc71339f86ffa4223327dfcb015d24c32e74cf4ac8a272d1a8 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

ZoomFull.exe

windows7-x64

ZoomFull.exe

windows10-2004-x64

Sharing

General

Target

ZoomFull.exe
Size

109.2MB
Sample

250312-mr23vaxycy
MD5

35a45131142cb3baebc149aeb9e334bd
SHA1

5089f9f7d858af435b86fff90e3619c6cf00f2d0
SHA256

b37a0a7ff6ad23dc71339f86ffa4223327dfcb015d24c32e74cf4ac8a272d1a8
SHA512

31943ce86643d230477c6ba3a7790793af0ff7a436e3ca8bf016639cd31708d969e8283f07cc84e3eceae802a0f9c15ceaa40ec2297c30ad5e5faaf93b6d2522
SSDEEP

3145728:vfmQMvAksxzchxtPdMULP51V5wlRRPUSWvAqk:Xmaks1WxPMULP5b+RRPKAqk

Score

10^/10

rhadamanthys defense_evasion discovery privilege_escalation stealer

Static task

static1

Behavioral task

behavioral1

Sample

ZoomFull.exe

Resource

win7-20240903-en

rhadamanthys discovery stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ZoomFull.exe

Resource

win10v2004-20250217-en

rhadamanthys defense_evasion discovery privilege_escalation stealer

windows10-2004-x64

22 signatures

150 seconds

Malware Config

Targets

- Target
  
  ZoomFull.exe
- Size
  
  109.2MB
- MD5
  
  35a45131142cb3baebc149aeb9e334bd
- SHA1
  
  5089f9f7d858af435b86fff90e3619c6cf00f2d0
- SHA256
  
  b37a0a7ff6ad23dc71339f86ffa4223327dfcb015d24c32e74cf4ac8a272d1a8
- SHA512
  
  31943ce86643d230477c6ba3a7790793af0ff7a436e3ca8bf016639cd31708d969e8283f07cc84e3eceae802a0f9c15ceaa40ec2297c30ad5e5faaf93b6d2522
- SSDEEP
  
  3145728:vfmQMvAksxzchxtPdMULP51V5wlRRPUSWvAqk:Xmaks1WxPMULP5b+RRPKAqk
Score

10^/10

rhadamanthys discovery stealer defense_evasion privilege_escalation
- Detects Rhadamanthys payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

Create Process with Token

Defense Evasion

Access Token Manipulation

Create Process with Token

Modify Registry

Subvert Trust Controls

Install Root Certificate

Credential Access

Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdiscoverystealer

behavioral2

rhadamanthysdefense_evasiondiscoveryprivilege_escalationstealer

© 2018-2025

Terms | Privacy