MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
SHA3-384 hash: 3c83ce86e937c86e05bfe09ce0335f53e426af0267dfbbe4371e96b91c6e11e67a44e93d371cdda7029bba2d8bd35dac
SHA1 hash: 0c7eb15acdeeb472c94f38a879548d01ca68db1b
MD5 hash: b4a982f6ca165f0d91bde7dd17239ebc
humanhash: delaware-ceiling-equal-texas
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:801'137 bytes
First seen:2024-01-01 10:37:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e752126f7ead8b7c9b1a7360355346dc (4 x RedLineStealer, 1 x Rhadamanthys)
ssdeep 24576:l76Fbh+BdZHyuXfW5+YgGHvMurli2U9L80V:l76FbhIdkuXfW5+PKvMupilu0V
Threatray 22 similar samples on MalwareBazaar
TLSH T17E059D5122538DB5F127D533B07F62108FCDA92D4A854BE793CD887AE3A2581C41FFAA
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter andretavare5
Tags:exe Rhadamanthys


Avatar
andretavare5
Sample downloaded from http://45.15.156.2/Nice Defender.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
463
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Searching for synchronization primitives
Using the Windows Management Instrumentation requests
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Creating a window
Unauthorized injection to a system process
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
control lolbin
Link:
https://www.filescan.io/uploads/6592960a7d4bdb7f8b026905/reports/f0462940-afbd-46d0-b0ef-1d88dce9cd52/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/2a16f9ed-26c2-4da5-a61e-e19f9103349d
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368494
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1368494 Sample: file.exe Startdate: 01/01/2024 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected RHADAMANTHYS Stealer 2->36 38 3 other signatures 2->38 9 file.exe 1 1 2->9         started        process3 process4 11 dialer.exe 9->11         started        14 conhost.exe 9->14         started        16 WerFault.exe 2 9->16         started        18 WerFault.exe 2 9->18         started        dnsIp5 30 91.92.240.171, 2469, 49704, 49706 THEZONEBG Bulgaria 11->30 20 OpenWith.exe 11->20         started        process6 signatures7 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->40 42 Tries to steal Mail credentials (via file / registry access) 20->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 20->44 46 2 other signatures 20->46 23 wmprph.exe 20->23         started        26 AppLaunch.exe 1 20->26         started        process8 signatures9 48 Writes to foreign memory regions 23->48 50 Allocates memory in foreign processes 23->50 28 dllhost.exe 23->28         started        process10
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-01-01 10:38:08 UTC
File Type:
PE (Exe)
AV detection:
14 of 22 (63.64%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cxd44g6fkve67sdn5j2ksd2c7ndgl7qvwfhxmabxrf6hoikzuw2q._file
Verdict:
malicious
Similar samples:
036015d189a2a302d58bc811129a0375f2fe226e18e117e21db8dbe0717f14d0
Rhadamanthys
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
Rhadamanthys
180914e4a9ced0e96dcdfe47be875a796d853ac1216108c97428839d257e55f5
Rhadamanthys
189051c29319fac6a96fefc8158f9d27d61a55b668f3c8e3610a48617649518f
Rhadamanthys
3a8a3be6bfb60b2b9b2d02cc6ddf57e2ff0cb001b764df199026adc4e287ec4a
Rhadamanthys
479dbe11c5211b7cf1c1e4ad4e66ed22ac6fe4750fb31892b32d9f05c42d40ef
Rhadamanthys
5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
Rhadamanthys
878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
Rhadamanthys
8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
Rhadamanthys
b0c34116121eb910abfa1b9a462b70bab59faa0800c779496fbb528f0b183b7c
Rhadamanthys
+ 12 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/240101-mpdbpsbgc9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
01b9623d18e6bcec2397154c79e0e3b14d808e97f1759b5a14ae654822134edc
MD5 hash:
eab0a54caa1b903d86b2a29f6ccee0f5
SHA1 hash:
1b007c5cb1d4efa3f82cad924749e74e5837bdb0
Link:
https://www.unpac.me/results/689c3b6f-b243-47e4-ae87-28dbb6a9fc15/
SH256 hash:
15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
MD5 hash:
b4a982f6ca165f0d91bde7dd17239ebc
SHA1 hash:
0c7eb15acdeeb472c94f38a879548d01ca68db1b
Link:
https://www.unpac.me/results/689c3b6f-b243-47e4-ae87-28dbb6a9fc15/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/15c7ce1bc555/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by

Comments