rhysida

General

Target

1888ecf4e90f02ecaaefdb3624825fa2.bin
Size

264KB
Sample

250414-bfazfawmx2
MD5

57ce8025925f12c99b2a5b7f337e2661
SHA1

303ecc30a3cb759c29efe6dd41a9de39f89c2b49
SHA256

c02413c8d2f6cf20728cb4ff088d73d87e592d0f80d3b7ad3ccc8bd05ad6dfa7
SHA512

4a0c3ad6c27dd9150001fad946d64eb2fff07df153ffc81fd0d9019517c66083d102482ff061a896663a2fde18ee8ff508ae60a81238fa1fa34094794c192cf3
SSDEEP

6144:d+BLAZEPacHWRThylA16BQNJxWGKT3+yfgD+RVXl+DW35:cyZEPLHcThys6oFKT3gKVXl+6J

Score

10^/10

Malware Config

Targets

- Target
  
  a78fa1ecadc46870c17e458ab427bad6586b74c7d3e8472f6d8448832ccb20f1.exe
- Size
  
  497KB
- MD5
  
  1888ecf4e90f02ecaaefdb3624825fa2
- SHA1
  
  f347814ce3c6018a342799ff38644d02964635c0
- SHA256
  
  a78fa1ecadc46870c17e458ab427bad6586b74c7d3e8472f6d8448832ccb20f1
- SHA512
  
  cbe0bc441b41c37098bf98f15ac6795cf7bdde7452b01bbceb0b6e93378db023ac2a1edc3edcfbec1a7404a736b7e343acbb5e2dd7d9ab33450f4d780d20b8b2
- SSDEEP
  
  6144:WFoCbN9uRh5W8iZuYtWrJhN7L6aMFNCk0Y+sPgtuMf9opaMPdZXT:0vZTs7N78CrZsPgUG9oDlZ
Score

10^/10

rhysida credential_access defense_evasion discovery execution impact persistence ransomware spyware stealer
- Detect Rhysida ransomware
- Rhysida
  Rhysida is a ransomware that is written in C++ and discovered in 2023.
  ransomware rhysida
- Rhysida family
  rhysida
- Clears Windows event logs
  defense_evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware defense_evasion impact execution
- Renames multiple (9766) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Credentials from Password Stores: Windows Credential Manager
  Suspicious access to Credentials History.
  credential_access stealer
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Hide Artifacts: Hidden Window
  Windows that would typically be displayed when an application carries out an operation can be hidden.
  defense_evasion
- Indicator Removal: Clear Persistence
  Clear artifacts associated with previously established persistence like scheduletasks on a host.
  defense_evasion
- Power Settings
  powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1