{
	"id": "2d294454-9ae1-4153-be08-4ddd590485b9",
	"created_at": "2026-04-06T00:13:29.784057Z",
	"updated_at": "2026-04-10T03:21:40.852811Z",
	"deleted_at": null,
	"sha1_hash": "eab05d00db65c7fa6d06b1a12442e6d460a51351",
	"title": "Malware-Traffic-Analysis.net - 2023-01-03 - Google ad --\u003e fake Notepad++ page --",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1428239,
	"plain_text": "Malware-Traffic-Analysis.net - 2023-01-03 - Google ad --\u003e fake\r\nNotepad++ page --\r\nArchived: 2026-04-05 17:56:06 UTC\r\n2023-01-03 (TUESDAY) - GOOGLE AD --\u003e FAKE NOTPAD++ PAGE --\u003e\r\nRHADAMANTHYS STEALER\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nNOTES:\r\nSpecial thanks to @500mk500, @da_667, and @ex_raritas for identifying this malware!\r\nASSOCIATED FILES:\r\n2023-01-03-IOCs-from-Rhadamanthys-Stealer-infection.txt.zip   2.0 kB   (1,952 bytes)\r\n2023-01-03-Rhadamanthys-Stealer-traffic.pcap.zip   1.0 MB   (1,018,898 bytes)\r\n2023-01-03-Rhadamanthys-Stealer-malware-and-artifacts.zip   70.9 MB   (70,883,162 bytes)\r\n2023-01-03 (TUESDAY) GOOGLE AD --\u003e FAKE NOTEPAD++ PAGE --\u003e RHADAMANTHYS STEALER\r\nNOTES:\r\n- The Google ad for this infection chain did not hide the fake Notepad++ site (malicious site was vis\r\n- Hasankahrimanoglu[.]com[.]tr was used before in December 2022 for the same type of fake Notepad++ s\r\n- The downloaded zip contains a Rhadamanthys Stealer EXE inflated to approx 802 MB and a folder with\r\n- This infection process used an image with data hidden through steganography, but I don't know what\r\n- After the steganography image, the infection switched to websocket traffic to encrypt the post-infe\r\n- Special thanks to @500mk500, @da_667, and @ex_raritas for identifying this malware!\r\nGOOGLE AD URL:\r\n- hxxps[:]//www.googleadservices[.]com/pagead/aclk?sa=L\u0026ai=DChcSEwiDiu-13Kv8AhWkE9QBHa7UADwYABACGgJvY\r\n com\u0026cid=CAASJORopA-3gIku5H1e8Y7FuoHCKJjSFjgbPRpqoj2ZKXrbPcnfRQ\u0026sig=AOD64_2JnosseZ0C9qLEszOg47HtRfUY\r\n jup-i13Kv8AhVckmoFHeyWDP8Q0Qx6BAgKEAE\r\nFAKE NOTEPAD++ SITE:\r\n- hxxps[:]//noteepad.hasankahrimanoglu[.]com[.]tr/\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 1 of 8\n\nZIP DOWNLOAD URL:\r\n- hxxps[:]//noteepad.hasankahrimanoglu[.]com[.]tr/ing.php\r\nDOWNLOADED ZIP ARCHIVE:\r\n- SHA256 hash: 56840aba173e384469ea4505158eead4e7612c41caa59738fcf5efe9b2e10864\r\n- File size: 69,728,905 bytes\r\n- File name: Nottepaad_lastNeWx32x64.zip\r\nEXE FOR RHADAMANTHYS STEALER EXTRACTED FROM ABOVE ZIP ARCHIVE:\r\n- SHA256 hash: 8d0e8bafffed28f5c709a99392f7ab42430635839f7aba92a01c956c10702c8f\r\n- File size: 802,160,640 bytes\r\n- File name: Noteppad_SettupX32iX64.exe\r\n- Note: This file has more than 801 MB of extra bytes to make the EXE too big for services like Virus\r\nRHADAMANTHYS STEALER EXE CARVED TO REMOVE PADDING:\r\n- SHA256 hash: af67a6bd0baf78191617c97aad2d21b7d6133e879c92c97b1b1345d629f79661\r\n- File size: 333,344 bytes\r\n- File name: Noteppad_SettupX32iX64-carved.exe\r\n- Analysis: https://app.any.run/tasks/96a0206a-5683-47c1-9804-04aff3c55228\r\n- Analysis: https://tria.ge/230103-tr9agsfb8w\r\nPOST INFECTION TRAFFIC:\r\n- 162.33.178[.]106 port 80 - 162.33.178[.]106 - GET /gjntrrm/zznb2o.hgfq\r\n- 162.33.178[.]106 port 80 - 162.33.178[.]106 - GET /gjntrrm/zznb2o.hgfq\r\nNOTES ON THE POST-INFECTION TRAFFIC:\r\n- The first HTTP GET request returns a 929,566 byte .jpg image that's 95x120 pixels and has obfuscate\r\n so it seems there's steganography involved here.\r\n- The second HTTP GET request upgrades the traffic, switching to encrypted websocket activity.\r\nSTEGANOGRAPHY IMAGE:\r\n- SHA256 hash: c4b7e2de87630bde08e367c75d9a2b9ae79b1d4f03ee8014531239c9597efc2e\r\n- File size: 929,566 bytes\r\n- Location: hxxp[:]//162.33.178[.]106/gjntrrm/zznb2o.hgfq\r\n- File description: JPEG image 95x120 bytes\r\n- Note: Same size, but different file hash seen from infections on at least 2 different Win10 hosts.\r\nIMAGES\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 2 of 8\n\nShown above:  Google ad leading to fake Notepad++ site.\r\nShown above:  Downloading zip archive from fake Notepad++ page.\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 3 of 8\n\nShown above:  Downloaded zip contains padded EXE for Rhadamanthys Stealer and folder full of unrelated files.\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 4 of 8\n\nShown above:  Microsoft Defender did not like the Rhadamanthys Stealer EXE.\r\nShown above:  Rhadamanthys Stealer post-infection traffic filtered in Wireshark.\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 5 of 8\n\nShown above:  First HTTP GET request returned steganography image.\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 6 of 8\n\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 7 of 8\n\nShown above:  Steganography image exported from the pcap.\r\nShown above:  Rhadamanthys Stealer data exfiltration through websocket traffic.\r\nClick here to return to the main page.\r\nSource: https://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nhttps://www.malware-traffic-analysis.net/2023/01/03/index.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.malware-traffic-analysis.net/2023/01/03/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434409,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eab05d00db65c7fa6d06b1a12442e6d460a51351.pdf",
		"text": "https://archive.orkl.eu/eab05d00db65c7fa6d06b1a12442e6d460a51351.txt",
		"img": "https://archive.orkl.eu/eab05d00db65c7fa6d06b1a12442e6d460a51351.jpg"
	}
}