Manuel Statik Analiz (LLM Okumali) — Rhadamanthys Stealer Loader | Tehdit: KRITIK

Dosya Kimligi

SHA256a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
Dosya Adimetacore-loader.exe
Boyut171.520 byte
String Sayisi1.176

Cleartext C2 ve Payload URL

Kritik IOC: Bu Rhadamanthys loader orneginde C2 IP adresi ve tam payload URL'leri cleartext olarak bulunmaktadir!
C2 Sunucusu:  176.46.152.62
Port:         5858
Protokol:     HTTP

Payload Indirme URL:
http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe

PowerShell Script URL:
http://176.46.152.62:5858/dadaasads_new.ps1

Yukleme Sekli

  • Loader (metacore-loader.exe) hedef sisteme calistirilir
  • C2 sunucusu 176.46.152.62:5858 uzerinden sifreli Rhadamanthys payload'ini indirir
  • Ayni C2'den dadaasads_new.ps1 PowerShell scripti cekerek ek islemler yapar
  • Payload dosyasi ismindeki _crypted_build on-the-fly sifreleme yapildigini gosterir

Rhadamanthys Yetenekleri (Aile)

KategoriHedefler
Tarayicilar100+ tarayici — sifre, cookie, kredi karti, oturum tokenleri
Kripto CuzdanlarMetaMask, Exodus, Atomic, Electrum, 30+ cuzdan uzantisi
EmailOutlook, Thunderbird — kimlik bilgileri
VPNNordVPN, ProtonVPN, OpenVPN yapılandirma dosyalari
2FAGoogle Authenticator, Authy seed'leri
SistemScreenshot, sistem bilgisi, hardware fingerprint

Rhadamanthys Hakkinda

Rhadamanthys, 2022 yilinda ortaya cikan gelismis bir C++ MaaS (Malware-as-a-Service) infostealerdir. Plugin tabanli mimarisi, 100+ tarayici destegi ve anti-analiz teknikleriyle dikkat ceker. LuaJIT scripting engine ile plugin yukleyebilir. Yeralt piyasasinda en pahali ve gelismis stealerlardan biri olarak konumlandirilmaktadir.

Tespit / Temizlik

  • Ag katmaninda 176.46.152.62:5858 trafiği engelle/izle
  • PowerShell execution policy ile yetkisiz .ps1 calismalarini engelle
  • EDR sistemlerine bu IP ve hash'i ekle
  • Etkilenen sistemlerde tarayici credential'larini sifirla

IOC

SHA256a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 IP176.46.152.62
C2 Port5858
Payload URLhttp://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PS URLhttp://176.46.152.62:5858/dadaasads_new.ps1

Rhadamanthys — Malware Profile

Rhadamanthys, 2022 de ortaya cikan C++ premium infostealer ailesidir. 250 USD/ay abonelik. Tarayici, kripto, FTP, VPN, email, oyun platformlarini hedefler. Loader + stealer DLL mimarisi.

Malware Type
Infostealer
Programming Language
C++
C2 Protocol
HTTP
Target Systems
Windows

Technical Details

C++, HTTP/HTTPS C2, modular plugin-tabanli mimari, genis tarayici credential theft, kripto wallet scraper (MetaMask/Phantom), steganography destekli payload, fingerprint (UUID/HWID), process injection

Capabilities & Behavior

Tarayıcı Kimlik Bilgileri
Çerez Hırsızlığı
Kripto Cüzdan Çalma
Sistem Bilgisi
Ekran Görüntüsü
FTP/SSH İstemci Şifreleri
E-posta İstemcisi Çalma
Veri Sızıntısı

IOC List (1 indicators)

IOC — Rhadamanthys
# SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
TypeValueNote
sha256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae

C2 Servers (4 recorded servers for this family)

Address Type Port Protocol Status Country
94.131.106.195 ip 443 HTTPS inactive RU
185.106.122.144 ip 443 HTTPS inactive CZ
185.106.120.55 ip 80 HTTP inactive RU
176.46.152.62 ip 5858 HTTP inactive —

C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.

Tags
rhadamanthysstealerloadercleartext-c2ip-portpowershellcrypted-build