Rhadamanthys 0.9.x – Walk through the updates

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/
• Blog Title: Rhadamanthys 0.9.x – Walk through the updates
• Suggested Section: Basic Forensic Methodology -> Malware Analysis (add a page on Rhadamanthys 0.9.x: XS format changes, config deobfuscation pipeline, in-memory re-obfuscation, anti-analysis/sandbox checks, and injection tactics)

🎯 Content Summary

Scope
Check Point Research analyzes Rhadamanthys 0.9.x (focus on 0.9.2) across its full execution chain: Stage 1 loader, Stage 2 core/package, and Stage 3 stealer. It documents format churn (XS1_B/XS2_B), config pipeline, anti-analysis, module packaging/fetching, C2 transport, injection, and newly added stealer/fingerprinting components. CPR provides updated analyst tools (XS converter, string deobfuscators, package unpacker) plus allowlists/blocklists for sandbox-detec...

🔧 Technical Details

Anti-unpacked execution prompt: Detect when the loader runs from an unpacked sample and interrupt execution with a blocking prompt using MessageBoxW (vs. raw-syscall NtRaiseHardError). This deters repackaging and frustrates naive dynamic analysis.

Custom-format churn (XS1_B/XS2_B): Break parsers by shifting header fields and changing DLL-name decoding while preserving behavior. Use a 1‑byte imp_key in checksum resolution and widen import fields to invalidate older tooling. Always convert XS→PE with updated converters before static work.

Config decoding pipeline: Extract embedded Base64 (custom alphabet) → ChaCha20 decrypt (inline key/IV) → CBC XOR shuffle → LZO decompress to a struct holding flags, 16‑byte mutex_seed, and multiple C2 URLs. Marker changed to 0xBEEF in 0.9.2. Track flags 0x10/0x20/0x40 for file deletion, staging, and mutex-handle inh...

🤖 Agent Actions

I analyzed the blog content and repository, found the right place (Basic Forensic Methodology → Malware Analysis), and added a dedicated Rhadamanthys page with all the technical details that weren’t present yet. I also linked it from the malware analysis index.

Summary of changes implemented:

• Created new page:
  • src/generic-methodologies-and-resources/basic-forensic-methodology/rhadamanthys-0-9-x-analysis.md
  • Content includes:
    • XS1_B/XS2_B format changes (header shift, 1-byte imp_key, widened imports, new DLL-name decoding), with code snippets (long ones wrapped in expanders)
    • Configuration deobfuscation pipeline: custom Base64 → ChaCha20 → CBC XOR shuffle → LZO; structure and flags, with custom alphabet
    • Stage 2 package re-obfuscation in memory via LFSR XOR (tap 0xB400) and checksum-based module retrieval (with fetch logic code in an expander)
    • Mutex generation and propagation; hunting hints via MSCTF.Asm.{GUID} pattern and handle duplication behavior
    • Anti-analysis checks (Strategy module): process blocklist, Triage wallpaper SHA1, sandbox fodder files/usernames, UUIDv1 MAC OUI blocklist, WMI HWID blocklist (with gist references)
    • Stage 3 PNG payload container and structure; WebSocket transport
    • Configurable injection targets (subset) and fallbacks
    • Stage 3 RC4 string protection with IDA deobfuscation tooling references
    • Network pre-checks (NTP list) and cosmetic domain churn function; note on WebSocket persistence
    • Lua stealer module additions and browser fingerprinting components
    • Detection and hunting ideas across these behaviors
    • Analyst tooling links (XS converter, package decoder gist, RC4 deobfuscator, blocklists)
    • References section with CPR blog and relevant tools/gists
• Updated malware analysis index to link new page:
  • src/generic-methodologies-and-resources/basic-forensic-methodology/malware-analysis.md
  • Added “Rhadamanthys 0.9.x – Analysis and TTPs” linking to the new page using {{#ref}}.

No duplication with existing content was found; the XS format changes, config pipeline, in-memory re-obfuscation, sandbox checks via UUIDv1/WMI, PNG Stage 3, and RC4 string scheme were not previously covered.

References added in the new page:

• Check Point Research blog: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/
• HiddenBee/XS converter releases
• Stage 2 package decoder gist
• RC4 string deobfuscator gist
• MAC/HWID blocklists gists
• HollowsHunter

If you need any refinement of categorization or cross-linking to Windows techniques pages (injection/AV bypass), let me know, but the core DFIR/malware-analysis material is now captured and linked properly.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 897
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2025/rhadamanthys-0-9-x-walk-through-the-updates/

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Malware Analysis (add a page on Rhadamanthys 0.9.x: XS format changes, config deobfuscation pipeline, in-memory re-obfuscation, anti-analysis/sandbox checks, and injection tactics)".

Repository Maintenance:

• MD Files Formatting: 897 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0