Manuel Statik Analiz (LLM Okumali) — Rhadamanthys Stealer Loader | Tehdit: KRITIK
文件 Kimligi
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
文件 Adi metacore-loader.exe
大小 171.520 byte
String Sayisi 1.176
Cleartext C2 ve Payload URL
Kritik IOC: Bu Rhadamanthys loader orneginde C2 IP adresi ve tam payload URL'leri cleartext olarak bulunmaktadir!
C2 Sunucusu: 176.46.152.62
Port: 5858
Protokol: HTTP
Payload Indirme URL:
http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PowerShell Script URL:
http://176.46.152.62:5858/dadaasads_new.ps1
Yukleme Sekli
Loader (metacore-loader.exe) hedef sisteme calistirilir
C2 sunucusu 176.46.152.62:5858 uzerinden sifreli Rhadamanthys payload'ini indirir
Ayni C2'den dadaasads_new.ps1 PowerShell scripti cekerek ek islemler yapar
Payload dosyasi ismindeki _crypted_build on-the-fly sifreleme yapildigini gosterir
Rhadamanthys Yetenekleri (家族)
Kategori Hedefler
Tarayicilar 100+ tarayici — sifre, cookie, kredi karti, oturum tokenleri
Kripto Cuzdanlar MetaMask, Exodus, Atomic, Electrum, 30+ cuzdan uzantisi
Email Outlook, Thunderbird — kimlik bilgileri
VPN NordVPN, ProtonVPN, OpenVPN yapılandirma dosyalari
2FA Google Authenticator, Authy seed'leri
Sistem Screenshot, sistem bilgisi, hardware fingerprint
Rhadamanthys Hakkinda
Rhadamanthys, 2022 yilinda ortaya cikan gelismis bir C++ MaaS (Malware-as-a-Service) infostealerdir. Plugin tabanli mimarisi, 100+ tarayici destegi ve anti-analiz teknikleriyle dikkat ceker. LuaJIT scripting engine ile plugin yukleyebilir. Yeralt piyasasinda en pahali ve gelismis stealerlardan biri olarak konumlandirilmaktadir.
Tespit / Temizlik
Ag katmaninda 176.46.152.62:5858 trafiği engelle/izle
PowerShell execution policy ile yetkisiz .ps1 calismalarini engelle
EDR sistemlerine bu IP ve hash'i ekle
Etkilenen sistemlerde tarayici credential'larini sifirla
IOC
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 IP 176.46.152.62
C2 Port 5858
Payload URL http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PS URL http://176.46.152.62:5858/dadaasads_new.ps1
Rhadamanthys — 恶意软件档案
Rhadamanthys, 2022 de ortaya cikan C++ premium infostealer ailesidir. 250 USD/ay abonelik. Tarayici, kripto, FTP, VPN, email, oyun platformlarini hedefler. Loader + stealer DLL mimarisi.
技术细节
C++, HTTP/HTTPS C2, modular plugin-tabanli mimari, genis tarayici credential theft, kripto wallet scraper (MetaMask/Phantom), steganography destekli payload, fingerprint (UUID/HWID), process injection
能力与行为
Tarayıcı Kimlik Bilgileri
FTP/SSH İstemci Şifreleri
IOC列表
(1 个指标)
# SHA256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
类型 值 备注
sha256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2服务器
(该家族共有 4 台已记录服务器)
地址
类型
端口
协议
状态
国家
94.131.106.195
ip
443
HTTPS
inactive
RU
185.106.122.144
ip
443
HTTPS
inactive
CZ
185.106.120.55
ip
80
HTTP
inactive
RU
176.46.152.62
ip
5858
HTTP
inactive
—
C2 地址仅来自 KEYDAL 团队人工验证的恶意软件样本。禁止用于商业用途。