General

  • Target

    rubixlauncher.exe

  • Size

    4.7MB

  • Sample

    250601-rdvh3aaq5t

  • MD5

    620024df612c13a4a33cf785384c2086

  • SHA1

    a6ae999723bea18c6d3acf2c52ed682f6226b7be

  • SHA256

    cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1

  • SHA512

    34d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd

  • SSDEEP

    98304:HqZRVmbr2CkyPqPnowAWTbNJ2EyT2QT27JaSGKN/3pJ:QVs6ysoDEUvwJEKdZJ

Malware Config

Extracted

Family

rhadamanthys

C2

https://185.125.50.38:3034/739bd3e91cd40ca83/pancake.api

Targets

    • Target

      rubixlauncher.exe

    • Size

      4.7MB

    • MD5

      620024df612c13a4a33cf785384c2086

    • SHA1

      a6ae999723bea18c6d3acf2c52ed682f6226b7be

    • SHA256

      cd825788095cd61de39d98d6365ed80004cc55a64f4f115ef6bf532617bb0af1

    • SHA512

      34d4d8a423d98bf0b8d4f18dc980bed97e9492f0817bb1e2dff99fc8d9d0cfaa2687514eff7717b1310a2c858236614490e980390612901e08b69b6ded451bdd

    • SSDEEP

      98304:HqZRVmbr2CkyPqPnowAWTbNJ2EyT2QT27JaSGKN/3pJ:QVs6ysoDEUvwJEKdZJ

    • Rhadamanthys

      Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    • Rhadamanthys family

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Obfuscated Files or Information: Command Obfuscation

      Adversaries may obfuscate content during command execution to impede detection.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v16

Tasks