Overview

overview

10

Static

static

10

Setup.exe

windows7-x64

1

Setup.exe

windows10-2004-x64

8

msvcp290.dll

windows7-x64

1

msvcp290.dll

windows10-2004-x64

1

nasrallah_x86.dll

windows7-x64

1

nasrallah_x86.dll

windows10-2004-x64

1

tier0_s64.dll

windows7-x64

1

tier0_s64.dll

windows10-2004-x64

1

vcruntime210.dll

windows7-x64

1

vcruntime210.dll

windows10-2004-x64

1

vstdlib_s64.dll

windows7-x64

1

vstdlib_s64.dll

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Armageddon.zip

  • Size

    4.6MB

  • Sample

    250321-bfpsla1vhz

  • MD5

    aa89bb03033d07376bf1a7c410c8a05b

  • SHA1

    2f4998479b726c6a4b39b0b36512e94b2874d7d7

  • SHA256

    615dd41707af9736ba4eeb08a0797395a0edc6fd605718a965c5029cbafe5818

  • SHA512

    704b64c425437cd23623ba0aaec83846aa6f2514ed86f9c51681e62fc698bb745a0f3d8b6094863dd0b8584274e0ba3189297170c3954ce2fc86e6c1a988c9b0

  • SSDEEP

    98304:pdUCcMsZBqg2eu7CrbAG5kV5ehNbG+DgHyaJ/iAsw:HUCu7qqrb3c5ehxZLM

Score
10/10
rhadamanthysdefense_evasiondiscoverypersistencespywarestealer

Malware Config

Targets

    • Target

      Setup.exe

    • Size

      759KB

    • MD5

      241e1f1358add031fb9fd18c2a0082b3

    • SHA1

      9f7b9614ed2a3622249df6e7c702168b8b6aa02c

    • SHA256

      129e0c2fa47bb97251800a4cf13f235f38fbe71aa6c98131e7cd85b433dc3204

    • SHA512

      fa06623308b65e6aaa4d137cda9e9126170c378f1f4709b3430eb839c8a408b2bb367b52eb3800f542d04444796f53f5f06711907a440daceaa7d0fa157aaa5c

    • SSDEEP

      12288:vJwFlRKCVTrpBdHY2ebSlZO19bjYN47/oUxFuVIZNZ3qLvxX363910TbwIjq9N:vURrRYJbSlj4oUxIGZNZ3avZKtqXe

    Score
    8/10
    defense_evasiondiscoverypersistencespyware

    • Downloads MZ/PE file

    • Executes dropped EXE

    • Accesses cryptocurrency files/wallets, possible credential harvesting

      spyware

    • Legitimate hosting services abused for malware hosting/C2

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

      defense_evasion

    • Power Settings

      powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

      persistence

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

    • Target

      msvcp290.dll

    • Size

      3.6MB

    • MD5

      bda101bb10ae2f6d573c6cc0230d0c54

    • SHA1

      e45496d29a636a4b79c68981e9e61730f6277a76

    • SHA256

      84255595956c98b371bf24d1a6d41f8f69daa0be3d913a49887c467ec3bb65bd

    • SHA512

      1b45f3b453c2a112354ef290c9195f7680a30c2f1448d8c2c733d457f7cbccf78176eff5e05ac8530368fd2af746965282c249254eb4709881a51b0818329809

    • SSDEEP

      49152:Ofszpq9lJWJn0cyqwvfz+SWXC+79M7qT5zBACj8Y5/Y801Tb4hquhl6Z:Wi4qhkqVBAG8Yn1E

    Score
    1/10
    behavioral3behavioral4

    • Target

      nasrallah_x86.dll

    • Size

      439KB

    • MD5

      2e3d4cab5dd86cc6e536162d70613d46

    • SHA1

      823a8cf30a4fef127431849d84d7737cdece5e9b

    • SHA256

      1d5b2ba0a99228befaad231171fdf7f8ccbf2f7a4685b2b3829df112ee70284a

    • SHA512

      81813ab1e86a4ac853292f774f69115a1d601d5b45bdd082fdbddfb6b9a7fa0355f1886d2a711e8805457bf51af11fb9fa2a17a12a89fa0406cceddee57c15c1

    • SSDEEP

      12288:9O7k28xC7HMDVBjfbL5S6IZ7OGQN/RutyU3ivG/0t9:mOS6IZ7QN/R8yoaG/8

    Score
    1/10
    behavioral5behavioral6

    • Target

      tier0_s64.dll

    • Size

      412KB

    • MD5

      de738f87b7a558476d73d590ea20a3b9

    • SHA1

      ea2da2c8b5c811ea798805d3e77250f12cf6da76

    • SHA256

      87b2d5cd0f667d8f72468ffd146dcf2aebdf7e65db575c04ffe6a4df9c1f1850

    • SHA512

      934a24556d0a4dd7643c03f96cb057ff25bceecbc9795c4a30884aecc5afd441fa99bfe0d978c8879f3fb10260373f055731f51a18775c55de68fa716bccb81b

    • SSDEEP

      6144:xgK7Z8Fd7IQx/XYn7z504xbPnTfMrqS63qqp5WEoXWGhYcRo4gFYRu7oJzBV9:hZ8Fd7IM/Xwnz2qS63nYEe6uo4gxyB

    Score
    1/10
    behavioral7behavioral8

    • Target

      vcruntime210.dll

    • Size

      4KB

    • MD5

      7b8f768c06420d31c53f1d97dafe1e93

    • SHA1

      12db6e84217924071bb0ca6aad60dbdd7bdd85dc

    • SHA256

      9c7490f282e414a11006d9965a962f791ba1f256240ebaba865a7a0e80eb02f9

    • SHA512

      cd7b3fd34f67e6d0f7c8c06989214a56f2f8a276723fb9e8fdbc4e8f06a294df00f44bf543893e8498ff8f85dd29bb517e9528dddb2025a4a92d19d1dd608aa2

    • SSDEEP

      96:fOZk4CrjHYKscE8qVTkFYSswe1xpsMJGLNXtUPCEOBh3s0xknOkC:fE2nHYKxE84gFYgFLZows0xMlC

    Score
    1/10
    behavioral10behavioral9

    • Target

      vstdlib_s64.dll

    • Size

      4.9MB

    • MD5

      964a139640199e709b1bfdbec679821d

    • SHA1

      4bba8996b53e9a3fa9f12bcfc9982a7dd9cd704e

    • SHA256

      ed4aa432fb4f138bfb3aa60f3ceae1054a8882295f9ce9ce75290c0fe16b1769

    • SHA512

      d75f95f114780a4005218775785ceb81fe763d4692e375e1461b5e485ecda7d3b5e398d901239fe0da0afdafb0f3d852c7b199fdae48a7ab8e5ec4b0569d51c3

    • SSDEEP

      49152:gccitDWBmZe2NldCkt2ByKAhu25XbizxLrfx7tBDOSpqrOuFM+xLFUVztPgoHRAZ:R5LAmFOztPgoHRAFH

    Score
    10/10
    rhadamanthysdiscoverystealer

    • Detects Rhadamanthys payload

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

      stealerrhadamanthys

    • Rhadamanthys family

      rhadamanthys

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Suspicious use of SetThreadContext

    behavioral11behavioral12

MITRE ATT&CK Enterprise v15

Tasks