{
	"id": "ecd54981-fb07-459f-9078-e1f6c8cd5606",
	"created_at": "2026-04-06T00:14:22.456142Z",
	"updated_at": "2026-04-10T03:30:30.490949Z",
	"deleted_at": null,
	"sha1_hash": "d45e55c6dce600287dfc49bb12d35d93927fb93b",
	"title": "Malware Analysis - Rhadamanthys",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1846393,
	"plain_text": "Malware Analysis - Rhadamanthys\r\nBy Bar Magnezi\r\nPublished: 2024-07-12 · Archived: 2026-04-05 22:31:52 UTC\r\nSample:\r\nfb6402d3ef1fcdd5af327668fa8d41b4\r\nBackgroundPermalink\r\nRhadamanthys malware has been notably associated with the threat actor group known as Sandworm. Sandworm,\r\nbelieved to have ties to Russian intelligence, It allows them to gain unauthorized access to computers, enabling\r\nthem to execute commands, steal data, and surveil victims through webcams and microphones. It spreads via\r\nphishing emails and exploits software vulnerabilities.\r\nStatic Analysis - Stage 1Permalink\r\nFigure 1: Malware Bazaar Entry\r\nThe first stage contained a relatively short PowerShell script that was somewhat obfuscated, as shown in Figure 2.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 1 of 11\n\nFigure 2: Obfuscated PowerShell\r\nAfter cleaning up the code and deobfuscating it, we were left with clear code, as shown in Figures 3 and 4.\r\nFigure 3: After Cleaning\r\nFigure 4: After Deobfuscation\r\nThe first URL downloads a PDF and opens it, while the second URL downloads a VBS file and executes it in the\r\nbackground. Browsing to this URL revealed a lengthy, obfuscated VBS script.\r\nSecond StagePermalink\r\nFigure 5: Long VBS Script\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 2 of 11\n\nAfter examining the code, I uncovered clues about the obfuscation technique employed. The method involved\r\nfilling the code with junk code, and in the middle of the script, a long string was constructed. Once I identified the\r\nexecution point, I disarmed it and echoed the final command to the console using CScript.\r\nFigure 6: CScript Output\r\nAfter cleaning up the code, I discovered an important function that functions similarly to a regex. This ‘regex’\r\nessentially counts every sixth character and concatenates them into a new string. In Figure 7 you can find that\r\nspecific function.\r\nFigure 7: Regex Function\r\nUnderstanding that function led me to construct a regex in CyberChef, through which I successfully extracted the\r\nnext stage of the malware.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 3 of 11\n\nFigure 8: Regex in CyberChef\r\nFigure 9: After Decoidng the Whole code\r\nAs indicated in Figure 8 and 9, two URLs have been identified containing the next stage of the malware.\r\nThird StagePermalink\r\nBrowsing to those URLs revealed the next stage along with additional files containing other variants as shown in\r\nFigure 10 and 11.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 4 of 11\n\nFigure 10: First URL\r\nFigure 11: Second URL - Revealed 3 variants\r\nThe content of the file was loaded into the previous script and decoded from Base64. Using CyberChef, I decoded\r\nthe Base64 content of the file. At the end of the file, the actual code was revealed, as shown in Figure 11.\r\nFigure 12: CyberChef Base64 Decode\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 5 of 11\n\nThis part also utilized the previously analyzed regex function. Using the same technique to decode a new function\r\nwas revealed.\r\nFigure 13: XOR Function Revealed\r\nAfter analyzing this function, I discovered that it utilized XOR with the key 84 in Hex. An example can be found\r\nin figure 14.\r\nFigure 14: Using XOR\r\nBefore Decoding:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 6 of 11\n\nFigure 15: Before XOR\r\nAfter Decoding:\r\nFigure 16: After XOR\r\nThat stage revealed memory manipulation and code injection techniques.\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 7 of 11\n\nFigure 17: Process Tree Using Procmon\r\nNetwork AnalysisPermalink\r\nUsing Wireshark and Fiddler I was able to extract Network IOC’s:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 8 of 11\n\nFigure 18: Wireshark DNS Requests\r\nFigure 19: Fiddler Output\r\nVirus TotalPermalink\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 9 of 11\n\nFigure 20: VT Url\r\nFigure 21: VT Url\r\nIOCsPermalink\r\nHash:\r\n41961596aa91e91c8e4415cff137b345\r\n4555c60872fad83c47c29b2052c978fd\r\nd298368760f646f852027f697df07ee6\r\nfb6402d3ef1fcdd5af327668fa8d41b4\r\n05ed7b3d821af8e38b861b21ad567c1d\r\nURL:\r\nkuthbaneng[.]com\r\npineappletech[.]ae\r\nalmrwad[.]com\r\nIP:\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 10 of 11\n\n184[.]171[.]244[.]231\r\n103[.]21[.]59[.]27\r\n91[.]195[.]240[.]94\r\nSource: https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nhttps://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/\r\nPage 11 of 11\n\n  https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/  \nFigure 17: Process Tree Using Procmon   \nNetwork AnalysisPermalink    \nUsing Wireshark and Fiddler I was able to extract Network IOC’s:\n   Page 8 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://0xmrmagnezi.github.io/malware%20analysis/Rhadamanthys/"
	],
	"report_names": [
		"Rhadamanthys"
	],
	"threat_actors": [
		{
			"id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df",
			"created_at": "2023-01-06T13:46:38.402513Z",
			"updated_at": "2026-04-10T02:00:02.959797Z",
			"deleted_at": null,
			"main_name": "Sandworm",
			"aliases": [
				"IRIDIUM",
				"Blue Echidna",
				"VOODOO BEAR",
				"FROZENBARENTS",
				"UAC-0113",
				"Seashell Blizzard",
				"UAC-0082",
				"APT44",
				"Quedagh",
				"TEMP.Noble",
				"IRON VIKING",
				"G0034",
				"ELECTRUM",
				"TeleBots"
			],
			"source_name": "MISPGALAXY:Sandworm",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "7bd810cb-d674-4763-86eb-2cc182d24ea0",
			"created_at": "2022-10-25T16:07:24.1537Z",
			"updated_at": "2026-04-10T02:00:04.883793Z",
			"deleted_at": null,
			"main_name": "Sandworm Team",
			"aliases": [
				"APT 44",
				"ATK 14",
				"BE2",
				"Blue Echidna",
				"CTG-7263",
				"FROZENBARENTS",
				"G0034",
				"Grey Tornado",
				"IRIDIUM",
				"Iron Viking",
				"Quedagh",
				"Razing Ursa",
				"Sandworm",
				"Sandworm Team",
				"Seashell Blizzard",
				"TEMP.Noble",
				"UAC-0082",
				"UAC-0113",
				"UAC-0125",
				"UAC-0133",
				"Voodoo Bear"
			],
			"source_name": "ETDA:Sandworm Team",
			"tools": [
				"AWFULSHRED",
				"ArguePatch",
				"BIASBOAT",
				"Black Energy",
				"BlackEnergy",
				"CaddyWiper",
				"Colibri Loader",
				"Cyclops Blink",
				"CyclopsBlink",
				"DCRat",
				"DarkCrystal RAT",
				"Fobushell",
				"GOSSIPFLOW",
				"Gcat",
				"IcyWell",
				"Industroyer2",
				"JaguarBlade",
				"JuicyPotato",
				"Kapeka",
				"KillDisk.NCX",
				"LOADGRIP",
				"LOLBAS",
				"LOLBins",
				"Living off the Land",
				"ORCSHRED",
				"P.A.S.",
				"PassKillDisk",
				"Pitvotnacci",
				"PsList",
				"QUEUESEED",
				"RansomBoggs",
				"RottenPotato",
				"SOLOSHRED",
				"SwiftSlicer",
				"VPNFilter",
				"Warzone",
				"Warzone RAT",
				"Weevly"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434462,
	"ts_updated_at": 1775791830,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d45e55c6dce600287dfc49bb12d35d93927fb93b.pdf",
		"text": "https://archive.orkl.eu/d45e55c6dce600287dfc49bb12d35d93927fb93b.txt",
		"img": "https://archive.orkl.eu/d45e55c6dce600287dfc49bb12d35d93927fb93b.jpg"
	}
}