Manuel Statik Analiz (LLM Okumali) — Rhadamanthys Stealer Loader | Tehdit: KRITIK
Файл Kimligi
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
Файл Adi metacore-loader.exe
Размер 171.520 byte
String Sayisi 1.176
Cleartext C2 ve Payload URL
Kritik IOC: Bu Rhadamanthys loader orneginde C2 IP adresi ve tam payload URL'leri cleartext olarak bulunmaktadir!
C2 Sunucusu: 176.46.152.62
Port: 5858
Protokol: HTTP
Payload Indirme URL:
http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PowerShell Script URL:
http://176.46.152.62:5858/dadaasads_new.ps1
Yukleme Sekli
Loader (metacore-loader.exe) hedef sisteme calistirilir
C2 sunucusu 176.46.152.62:5858 uzerinden sifreli Rhadamanthys payload'ini indirir
Ayni C2'den dadaasads_new.ps1 PowerShell scripti cekerek ek islemler yapar
Payload dosyasi ismindeki _crypted_build on-the-fly sifreleme yapildigini gosterir
Rhadamanthys Yetenekleri (Семейство)
Kategori Hedefler
Tarayicilar 100+ tarayici — sifre, cookie, kredi karti, oturum tokenleri
Kripto Cuzdanlar MetaMask, Exodus, Atomic, Electrum, 30+ cuzdan uzantisi
Email Outlook, Thunderbird — kimlik bilgileri
VPN NordVPN, ProtonVPN, OpenVPN yapılandirma dosyalari
2FA Google Authenticator, Authy seed'leri
Sistem Screenshot, sistem bilgisi, hardware fingerprint
Rhadamanthys Hakkinda
Rhadamanthys, 2022 yilinda ortaya cikan gelismis bir C++ MaaS (Malware-as-a-Service) infostealerdir. Plugin tabanli mimarisi, 100+ tarayici destegi ve anti-analiz teknikleriyle dikkat ceker. LuaJIT scripting engine ile plugin yukleyebilir. Yeralt piyasasinda en pahali ve gelismis stealerlardan biri olarak konumlandirilmaktadir.
Tespit / Temizlik
Ag katmaninda 176.46.152.62:5858 trafiği engelle/izle
PowerShell execution policy ile yetkisiz .ps1 calismalarini engelle
EDR sistemlerine bu IP ve hash'i ekle
Etkilenen sistemlerde tarayici credential'larini sifirla
IOC
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 IP 176.46.152.62
C2 Port 5858
Payload URL http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PS URL http://176.46.152.62:5858/dadaasads_new.ps1
Rhadamanthys — Профиль вредоносного ПО
Rhadamanthys, 2022 de ortaya cikan C++ premium infostealer ailesidir. 250 USD/ay abonelik. Tarayici, kripto, FTP, VPN, email, oyun platformlarini hedefler. Loader + stealer DLL mimarisi.
Тип вредоносного ПО
Infostealer
Язык программирования
C++
Технические детали
C++, HTTP/HTTPS C2, modular plugin-tabanli mimari, genis tarayici credential theft, kripto wallet scraper (MetaMask/Phantom), steganography destekli payload, fingerprint (UUID/HWID), process injection
Возможности и поведение
Tarayıcı Kimlik Bilgileri
FTP/SSH İstemci Şifreleri
Список IOC
(1 индикаторов)
# SHA256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
Тип Значение Примечание
sha256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 Серверы
(4 зарегистрированных серверов для этого семейства)
Адрес
Тип
Порт
Протокол
Статус
Страна
94.131.106.195
ip
443
HTTPS
inactive
RU
185.106.122.144
ip
443
HTTPS
inactive
CZ
185.106.120.55
ip
80
HTTP
inactive
RU
176.46.152.62
ip
5858
HTTP
inactive
—
Адреса C2 предоставляются только на основе образцов вредоносного ПО, вручную проверенных командой KEYDAL. Коммерческое использование запрещено.