rhadamanthys | 6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

3

6586cb8766...14.exe

windows7-x64

6586cb8766...14.exe

windows10-2004-x64

Sharing

General

Target

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
Size

938KB
Sample

250318-eywkmst1ez
MD5

9e64b65535e29ec152642d8bdcb22974
SHA1

5431aa7526ba193c0a92afffe2537bc54f51a0ba
SHA256

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
SHA512

f895c62431502fa92d36b5e0cb929b4957ca41f9253dadecd6a06153dc566e12a5d835a162f6aeb0e8ea1eb1fb9c65ab716f7c43faca0672aff37900c56b156e
SSDEEP

24576:cbSLx7bBqTC9oA414OYDsSyMZblh50gjuQk47blB7uFujRVeYr4c:GS79qK4cDs6q7QX7bl1u6LzMc

Score

10^/10

rhadamanthys discovery stealer

Static task

static1

1 signatures

Behavioral task

behavioral1

Sample

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe

Resource

win7-20240903-en

rhadamanthys discovery stealer

windows7-x64

15 signatures

300 seconds

Behavioral task

behavioral2

Sample

6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe

Resource

win10v2004-20250313-en

rhadamanthys discovery stealer

windows10-2004-x64

16 signatures

300 seconds

Malware Config

Extracted

Family

rhadamanthys

C2

https://94.156.10.37:2036/efc85e6acdfc3a785/1evgkhav.3ltvh

Targets

- Target
  
  6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14.exe
- Size
  
  938KB
- MD5
  
  9e64b65535e29ec152642d8bdcb22974
- SHA1
  
  5431aa7526ba193c0a92afffe2537bc54f51a0ba
- SHA256
  
  6586cb8766c14a87330bf6c79a7cbd7cbff3ca9da63574a9c348645117d08f14
- SHA512
  
  f895c62431502fa92d36b5e0cb929b4957ca41f9253dadecd6a06153dc566e12a5d835a162f6aeb0e8ea1eb1fb9c65ab716f7c43faca0672aff37900c56b156e
- SSDEEP
  
  24576:cbSLx7bBqTC9oA414OYDsSyMZblh50gjuQk47blB7uFujRVeYr4c:GS79qK4cDs6q7QX7bl1u6LzMc
Score

10^/10

rhadamanthys discovery stealer
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Enumerates processes with tasklist
  discovery
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

Query Registry

Remote System Discovery

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdiscoverystealer

behavioral2

rhadamanthysdiscoverystealer

© 2018-2025

Terms | Privacy