rhysida | 9ddb239d7c1ca00e5cf13cd6b1f816bdba30792b1f26cef2ca807336bd0b3802 | Triage

Sharing

General

Target

2025-04-03_0cf5491278c7d87e8c3fc88c7f9f26ff_rhysida
Size

908KB
Sample

250403-zvwfpawp12
MD5

0cf5491278c7d87e8c3fc88c7f9f26ff
SHA1

db1d9f161f331d07bbb626acf7d4f8f6e1a2c742
SHA256

9ddb239d7c1ca00e5cf13cd6b1f816bdba30792b1f26cef2ca807336bd0b3802
SHA512

6bda8ea0fe42eb032d0c81e49e7c1a3d8d321185615bae41aca265b53d63191274c8ec6b646663668ab78d4b4ed5986ca73fcd85c2e212cde075d324f5a2c66f
SSDEEP

6144:xcQQbTJ0huBKxmueLQ320SlmQ2Gz3bJo47/T8MF3KSUEtQGG4P4T:bqLQ320SlmQ2GzW47vKSry14P

Score

10^/10

rhysida credential_access discovery ransomware spyware stealer

Malware Config

Targets

- Target
  
  2025-04-03_0cf5491278c7d87e8c3fc88c7f9f26ff_rhysida
- Size
  
  908KB
- MD5
  
  0cf5491278c7d87e8c3fc88c7f9f26ff
- SHA1
  
  db1d9f161f331d07bbb626acf7d4f8f6e1a2c742
- SHA256
  
  9ddb239d7c1ca00e5cf13cd6b1f816bdba30792b1f26cef2ca807336bd0b3802
- SHA512
  
  6bda8ea0fe42eb032d0c81e49e7c1a3d8d321185615bae41aca265b53d63191274c8ec6b646663668ab78d4b4ed5986ca73fcd85c2e212cde075d324f5a2c66f
- SSDEEP
  
  6144:xcQQbTJ0huBKxmueLQ320SlmQ2Gz3bJo47/T8MF3KSUEtQGG4P4T:bqLQ320SlmQ2GzW47vKSry14P
Score

10^/10

rhysida credential_access discovery ransomware spyware stealer
- Detects Rhysida ransom note
- Rhysida
  Rhysida is a ransomware that is written in C++ and discovered in 2023.
  ransomware rhysida
- Rhysida family
  rhysida
- Renames multiple (9764) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Deletes itself
- Drops startup file
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Windows Credential Manager

Unsecured Credentials

Credentials In Files

Discovery

Browser Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

rhysidacredential_accessdiscoveryransomwarespywarestealer