MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
SHA3-384 hash: ce839d490fb2f9f8de51c33de7c5f81bc52bc2b7ccb34539a73cbbc0870a24eb7108a1156e8a1de0bf384d2bf56b4178
SHA1 hash: e42a9f9f74db70f8a2895c8b39e2d358ccb62482
MD5 hash: 75a34d3bc5d01c45db6e3116c7d1fc80
humanhash: arizona-venus-sodium-river
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:458'240 bytes
First seen:2023-06-15 19:57:57 UTC
Last seen:2023-06-15 20:35:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 99ae33530ebff97e88a1ac2c3129a9f7 (2 x RedLineStealer, 2 x Rhadamanthys, 2 x Stop)
ssdeep 12288:lLevbifhWuhXqzWUcY3SwAbbFiEjOryPKCtjs:lQot6zWUHSL5iEjiyCCe
Threatray 672 similar samples on MalwareBazaar
TLSH T168A4F112EDE0AC72D16ACB718D6EC5E43B5DFD918F24279722186F1F0A702A1C5B6336
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0060626262626020 (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys


Avatar
andretavare5
Sample downloaded from http://77.105.146.74/cc.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
346
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-15 20:01:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1cb13e1e-6076-4803-a3a1-b02f3690ce7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399304/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.32073.14484.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Sending a TCP request to an infection source
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90934/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/648b6d4aab82700939a64448/reports/194af9c9-4f1e-4efc-b4e3-ce30ab4fb425/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e28a388-5c30-4167-b8ce-014e3f423100
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255585
Signature
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 19:58:05 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bsqvvqsm2jxm2sx3ik2mrablz7a6wbqirlqngub7xrzs7accsuyq._file
Verdict:
malicious
Similar samples:
1184aeff512cf6da48a3c5357936da4f5488923f2327236be314d704e4cccdea
Rhadamanthys
15d2319d94150b66ce714c7bc4f524d52b9154a9a5fc2f336c744a4d56bd77d9
Rhadamanthys
2aaae232c889912fe61abafb3dd36bfa3499d21daaf61d8c839ed53c50ffa388
Rhadamanthys
59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c
Rhadamanthys
695ebf4db6a46967bdecfe41ea5db0b2f96845a460f7d16eb2fcd3111f2dd36c
Rhadamanthys
6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
Rhadamanthys
a8a37fd086b03c06cebdb6dca1b4442cb7d8094816da5a42b711a35bce3218b1
Rhadamanthys
bcc6c5ebaa7ede4e4485cc0a1884e6e12923e4c7aca85283b2a546c2b8034055
Rhadamanthys
ea6d07dfe0184b08a53161805d66a1bc1f7974367b8407968e1922d41366c236
Rhadamanthys
ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93
Rhadamanthys
+ 662 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
collection
Link:
https://tria.ge/reports/230615-ypsxyaba64/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Deletes itself
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
a13376875d3b492eb818c5629afd3f97883be2a5154fa861e7879d5f770e21d4
MD5 hash:
d0c1a1ed8609b87ba25b771e8144b90c
SHA1 hash:
0da8c2b9e109d97a574f0614550dc2311c331f85
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/168fbd7e-2693-479a-b661-d6220f08ceec/
Parent samples :
bd60605304be239c72f53cc7b881a7c0aa77b668f3e732ae1ea032b24e052fc0
0f13412e34d79c5c24595dbf76c44ded557d8bf22bc420802e7843cc84ef7ded
bcc6c5ebaa7ede4e4485cc0a1884e6e12923e4c7aca85283b2a546c2b8034055
97fbb8c62444ab8fef4af17c33117b43c9f926a45445ecc9fc51138089a75000
695ebf4db6a46967bdecfe41ea5db0b2f96845a460f7d16eb2fcd3111f2dd36c
37e0b7e14eaeeb2205c87261982e272eaa6dd4b95fdd2edc7b2a5b9d29b64a09
ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93
15d2319d94150b66ce714c7bc4f524d52b9154a9a5fc2f336c744a4d56bd77d9
59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c
6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595
0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
7f500eca61d1bb18feeadebda84d65023a482e7ce11b81184e8357973e63a077
ad5fc45f2dd58b5209749b5b5f7aaac5b3413cea80eb200727fa1fd919bb8cf6
c459a4a1f1b9253dde6e26e12e651c3990ce4f9d1c464308d360dbaf7f82235f
c69be220656f8c1b2f425b778bfee586165ab8653b3550e1c8226398429e18a6
1ea3b1f1f09de73b2021a37ef523a55ec13ed673a584e9fd25d80466e806ebf1
c48a7a57d515ae7471b153f2346e0286cdb5707683414d54cb8fa45553ac4087
f72db6936eef06dee9230bb27bfcea84a66773e419807f355bf37fb3f5457947
95bd28472a3dfcffa46dedad1547e5ac3fcad81d35af34a5da524aa380523415
e0a50fbd358e7561e1017edd90a51682f345f6fe8248aa1bf352411ce57d54e3
033bebdf818560c4eba4837b7d7f29a25a0e6876dfa958c4c1dcd8b7665e4f48
c99798d67cbf1e80040257eb9e68f62d966fe53443ca54e120e3a0379152ca80
452c0558713dac55a25f47217368c54ed4d41a97b677c66b4af291cc7f9da862
e3c530a8f37ef3b74788e33c2483ef02b54009a89f981959b0619fab7462afc8
bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910
0af3aa9e62ae449301ef9b3d9965d45775c13b2fc7a662795d39585d5c0fa908
81c68d49323f4cc3f1ad6b3634b9a3d0891daed3822c077a3b1a4a6b0b050551
1eb7e20cc13f622bd6834ef333b8c44d22068263b68519a54adc99af5b1e6d34
098c9f426ab6d50a39469ef17adcf10e50b5e91ff9a7594478354098909970df
811dec9ec1252218598615343fe2e04a62a296e3f156778c4d168b4eec8a0bf0
SH256 hash:
0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
MD5 hash:
75a34d3bc5d01c45db6e3116c7d1fc80
SHA1 hash:
e42a9f9f74db70f8a2895c8b39e2d358ccb62482
Link:
https://www.unpac.me/results/168fbd7e-2693-479a-b661-d6220f08ceec/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0ca15ac24cd2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2649749/
  
URLhaus
https://urlhaus.abuse.ch/url/2644870/
Cape
Cape
https://www.capesandbox.com/analysis/399304/

Comments