rhadamanthys | ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62 | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

ba96f1e9c7...62.msi

windows7-x64

ba96f1e9c7...62.msi

windows10-2004-x64

Sharing

General

Target

ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi
Size

34.9MB
Sample

250320-embfbsszct
MD5

9cf0093a76065c3c65c1dfbbb76fa82b
SHA1

98276b30afb00ea041b2b5b922eff7e917b620ea
SHA256

ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
SHA512

b3fd984c03000884c566caf79bc5686078018dc7f79b4919e1fcec0f6dc47cf05136439229aa292a508739f37151fa209546cfa53622416666f4fb2ae17a3c5a
SSDEEP

786432:pCLRK7wXCr4zP7pRv/dpO26Aj1Izj6T6Da9Bm:4LM7Vr4zlJ626A8Na9B

Score

10^/10

rhadamanthys discovery persistence privilege_escalation pyinstaller stealer

Static task

static1

Behavioral task

behavioral1

Sample

ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi

Resource

win7-20240903-en

rhadamanthys discovery persistence privilege_escalation pyinstaller stealer

windows7-x64

18 signatures

150 seconds

Behavioral task

behavioral2

Sample

ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi

Resource

win10v2004-20250314-en

rhadamanthys discovery persistence privilege_escalation pyinstaller stealer

windows10-2004-x64

19 signatures

150 seconds

Malware Config

Targets

- Target
  
  ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi
- Size
  
  34.9MB
- MD5
  
  9cf0093a76065c3c65c1dfbbb76fa82b
- SHA1
  
  98276b30afb00ea041b2b5b922eff7e917b620ea
- SHA256
  
  ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
- SHA512
  
  b3fd984c03000884c566caf79bc5686078018dc7f79b4919e1fcec0f6dc47cf05136439229aa292a508739f37151fa209546cfa53622416666f4fb2ae17a3c5a
- SSDEEP
  
  786432:pCLRK7wXCr4zP7pRv/dpO26Aj1Izj6T6Da9Bm:4LM7Vr4zlJ626A8Na9B
Score

10^/10

rhadamanthys discovery persistence privilege_escalation pyinstaller stealer
- Detects Rhadamanthys payload
- Rhadamanthys
  Rhadamanthys is an info stealer written in C++ first seen in August 2022.
  stealer rhadamanthys
- Rhadamanthys family
  rhadamanthys
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

Installer Packages

Privilege Escalation

Event Triggered Execution

Installer Packages

Defense Evasion

System Binary Proxy Execution

Msiexec

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhadamanthysdiscoverypersistenceprivilege_escalationpyinstallerstealer

behavioral2

rhadamanthysdiscoverypersistenceprivilege_escalationpyinstallerstealer

© 2018-2025

Terms | Privacy