MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
SHA3-384 hash: ea78b05ed3d67b8f8dc6145b19561bb1a39bd995c458f8b3af73025681acbcecbf298ff6f7cb0edbc295d2786b4bf100
SHA1 hash: 39aad598cfe75a9d8770fef63b5c81db3acfa3b7
MD5 hash: dd10393642798db29a624785ead8ecec
humanhash: whiskey-lithium-happy-three
File name:dd10393642798db29a624785ead8ecec
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:204'800 bytes
First seen:2023-01-23 19:02:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8ce2f6ebd6de22083d1cd29813b84025 (6 x Rhadamanthys)
ssdeep 6144:uC1Y5jpr0602TzhldWqIk6jKSxPMkksMoK:uC18jpg60OCHNMBxoK
Threatray 17'750 similar samples on MalwareBazaar
TLSH T10914F1797073C0B9DEE701765DA44BA65FF83D700364AB8B2E5CB4467EA02FD142A4B2
TrID 32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
13.7% (.SCR) Windows screen saver (13097/50/3)
11.0% (.EXE) Win64 Executable (generic) (10523/12/4)
6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter zbetcheckin
Tags:32 exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dd10393642798db29a624785ead8ecec
Verdict:
Suspicious activity
Analysis date:
2023-01-23 19:05:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a9831aa2-6e78-480c-8725-d027ed50d4c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/356064/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Deleting a recently created file
Reading critical registry keys
Searching for the window
Stealing user critical data
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62551/overview
Behaviour
MalwareBazaar
SystemUptime
CheckCmdLine
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware shell32.dll
Link:
https://www.filescan.io/uploads/63ced9e72b351a3d0ea7f817/reports/f84d98e8-c008-46f7-afbe-ab67f89c7d52/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/831da468-4cbb-41cc-98ab-2d6b8ec34e11
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1157385
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659/
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aeyjhb4wy6irmann4jqc45yla7nngicrdgjxfwj4p3ml7uhfszmq._file
Verdict:
malicious
Similar samples:
289972785148bb95016c795c5eb977b863832f40c8be41cfeff6923bacd646d7
Rhadamanthys
45e86a4f5dc3afa62936f109963e5de85668907143af82f1db0ba1099ad60994
Rhadamanthys
50fcdf33b27a9bc36765e7b5a2650678f0f0ef15d6410054f89fb63605f849e5
Rhadamanthys
591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1
Rhadamanthys
7e09cf3d09ef89b5595c70637ce9173919a61e8fc5a5fcde253762db61bf90f5
Rhadamanthys
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Rhadamanthys
d3308f8b8905c046fa48a7a828b1047511709ad9c7d9b7d4e67ec94083e76c39
Rhadamanthys
+ 17'740 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/230123-xqeahaeh26/
Behaviour
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659
MD5 hash:
dd10393642798db29a624785ead8ecec
SHA1 hash:
39aad598cfe75a9d8770fef63b5c81db3acfa3b7
Link:
https://www.unpac.me/results/acf259e6-bd7c-4a46-b178-724e311e5a11/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0130938796c7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.05
Link:
https://yomi.yoroi.company/submissions/0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 0130938796c7911601ade2602e770b07dad32051199372d93c7ed8bfd0e59659

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2516451/
Cape
Cape
https://www.capesandbox.com/analysis/356064/

Comments


Avatar
zbet commented on 2023-01-23 19:02:23 UTC

url : hxxp://62.204.41.119/taha/love1.exe