rhysida

General

Target

2c5d3fea7ad3c9c49e9c1a154370229c86c48fbaf7044213fd85d31efcebf7f6.exe
Size

421KB
Sample

250412-qwvq4svrw5
MD5

7dd4de113a97c638518f01760ff4f03c
SHA1

39649fa040a3c6894758016a65afec7b6acd4017
SHA256

2c5d3fea7ad3c9c49e9c1a154370229c86c48fbaf7044213fd85d31efcebf7f6
SHA512

32bea0d57a27376874068fb39917fda13e9a095b372382d1b7b40dbe47bf28ccaa69f5f658ea7d74accf4c078ad861b350b28ca00ee3c77c10acc5482b0d7759
SSDEEP

6144:pzOLumbr+/LRs95wOr0F2SSJmo7zYrMFFHk9FIT9pLaaT:XeB8Fo7tHG6T9Ra

Score

10^/10

Malware Config

Targets

- Target
  
  2c5d3fea7ad3c9c49e9c1a154370229c86c48fbaf7044213fd85d31efcebf7f6.exe
- Size
  
  421KB
- MD5
  
  7dd4de113a97c638518f01760ff4f03c
- SHA1
  
  39649fa040a3c6894758016a65afec7b6acd4017
- SHA256
  
  2c5d3fea7ad3c9c49e9c1a154370229c86c48fbaf7044213fd85d31efcebf7f6
- SHA512
  
  32bea0d57a27376874068fb39917fda13e9a095b372382d1b7b40dbe47bf28ccaa69f5f658ea7d74accf4c078ad861b350b28ca00ee3c77c10acc5482b0d7759
- SSDEEP
  
  6144:pzOLumbr+/LRs95wOr0F2SSJmo7zYrMFFHk9FIT9pLaaT:XeB8Fo7tHG6T9Ra
Score

10^/10

rhysida credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Detect Rhysida ransomware
- Rhysida
  Rhysida is a ransomware that is written in C++ and discovered in 2023.
  ransomware rhysida
- Rhysida family
  rhysida
- Clears Windows event logs
  defense_evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9689) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1