MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
SHA3-384 hash: 8487b14eb290a0f56a1914b453eece4b9c5c9e9105bf02098e133498c7eab504d616cc57bf8e3b7f85094f65390ebc3b
SHA1 hash: 58e4466d4db0e9dbeeba589e785c095da4be28b7
MD5 hash: e4d9fac46b74d05a7110d922393c53b5
humanhash: five-hydrogen-hawaii-mango
File name:Xteam30.hta
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:23'137 bytes
First seen:2024-11-01 19:46:49 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 384:AewZKDUSPiVrmsDe8OCuCLfiOEUgPge2uwb7Gw7D+fFU0:fwuKNACtfiOEUgPge2uwb7GoD+e0
TLSH T199A2683A2B1D26A12D40CBB2CC8B11B4F026E53F356E3C72940236E9D8F49DE5EBD516
Magika vba
Reporter abuse_ch
Tags:hta Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
DE DE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.DownLoader47.43338.27843.13886.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6725303f49e92a05dde24c67
Tags:
powershell gumen
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/67253041d71e009bb1f88ab1/reports/fb60495a-c35f-4530-846a-881b7b8efa97/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
Result
Verdict:
SUSPICIOUS
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1547079
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops large PE files
Found malware configuration
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Suspicious MSHTA Child Process
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1547079 Sample: Xteam30.hta Startdate: 01/11/2024 Architecture: WINDOWS Score: 100 44 windowsupdatebg.s.llnwi.net 2->44 46 tp2.5ee.mytemp.website 2->46 48 3 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 7 other signatures 2->62 10 mshta.exe 1 2->10         started        13 svchost.exe 1 1 2->13         started        signatures3 process4 dnsIp5 72 Suspicious powershell command line found 10->72 16 powershell.exe 19 18 10->16         started        50 127.0.0.1 unknown unknown 13->50 signatures6 process7 dnsIp8 40 tp2.5ee.mytemp.website 118.139.176.218, 443, 49701, 49703 AS-26496-GO-DADDY-COM-LLCUS Singapore 16->40 36 C:\Users\user\AppData\Roaming\Xteam30.exe, PE32 16->36 dropped 54 Powershell drops PE file 16->54 21 Xteam30.exe 1 2 16->21         started        25 WINWORD.EXE 143 468 16->25         started        27 conhost.exe 16->27         started        file9 signatures10 process11 file12 38 C:\Users\user\Music\...behaviorgraphifCamOculus.exe, PE32 21->38 dropped 64 Multi AV Scanner detection for dropped file 21->64 66 Writes to foreign memory regions 21->66 68 Allocates memory in foreign processes 21->68 70 2 other signatures 21->70 29 csc.exe 1 1 21->29         started        signatures13 process14 signatures15 74 Switches to a custom stack to bypass stack traces 29->74 32 OpenWith.exe 29->32         started        process16 dnsIp17 42 51.75.171.9, 50018, 5151 OVHFR France 32->42 52 Switches to a custom stack to bypass stack traces 32->52 signatures18
Score:
91%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302/
Threat name:
Script-WScript.Trojan.Valyria
Create hunting rule
Status:
Malicious
First seen:
2024-10-04 00:21:03 UTC
File Type:
Text (VBS)
AV detection:
14 of 38 (36.84%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dfs4soyp7wyyvoyyiuuoj6nzbjbvq3h2rqekp5pvxtmk3d4qumba._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery execution persistence stealer
Link:
https://tria.ge/reports/241101-yrywzasqds/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Executes dropped EXE
Blocklisted process makes network request
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://51.75.171.9:5151/9640d96bbead45f349f3ab9/Xteam30.api
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1965c93b0ffd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

HTML Application (hta) hta 1965c93b0ffdb18abb184528e4f9b90a43586cfa8c08a7f5f5bcd8ad8f90a302

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3270114/
  
Delivery method
Distributed via web download

Comments