MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c2845a2e347287ccace4cd74db1543aa9cf65e8d0cd27ba30ed9d5c7423ac16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	1c2845a2e347287ccace4cd74db1543aa9cf65e8d0cd27ba30ed9d5c7423ac16
SHA3-384 hash:	2a55bc955fa09aa1d299418434d91ffafd9bc20aa6872b8a090a94d08451dec32e84e2066546ffc3749d0d5c7f970219
SHA1 hash:	f357bf96cdb6b2c235ae38edcd6d1c94c767644c
MD5 hash:	3939251fe61c08f02cbd990ad6e6f10d
humanhash:	cat-august-johnny-washington
File name:	user1.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	298'496 bytes
First seen:	2023-01-17 08:44:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	313b5488504facfdc3bb8c36b24207c2 (2 x Rhadamanthys)
ssdeep	6144:ceFHHVLRtN0NwjUtDTfYuPZN9t/P+BnaRY3JVHXx4JAPSAgcE:ceFpN0NuE1h+BnSYb6JAPSYE
Threatray	4'212 similar samples on MalwareBazaar
TLSH	T1F5540104B9E2F4B2E57719381B7087918E6EB8244F605DAB27D05ABE0F301D1DA35F6B
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	r3dbU7z
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-16 17:19:26 UTC

Tags:

trojan opendir loader evasion stealer

Link:

https://app.any.run/tasks/ffd2b582-94de-4458-80d1-b91eb70aaed6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353711/

Detection(s):

SecuriteInfo.com.Variant.Lazy.284075.20229.24919.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Launching a process

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Deleting a recently created file

Reading critical registry keys

Launching the default Windows debugger (dwwin.exe)

Forced system process termination

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

6/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60895/overview

Behaviour

MalwareBazaar

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware packed redline

Link:

https://www.filescan.io/uploads/63c66010afdaca54d438bb73/reports/97819f4e-36d8-4556-b770-cecbcf020e8e/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Khalesi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/589b15a2-6b49-464b-9d52-d2f7c49b27a5

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1152907

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1c2845a2e347287ccace4cd74db1543aa9cf65e8d0cd27ba30ed9d5c7423ac16/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-01-17 08:45:09 UTC

File Type:

PE (Exe)

AV detection:

17 of 25 (68.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dquelixdi4uhzswojtlu3mkuhku46zpi2dgsporq5wovy5bdvqla._file

Verdict:

malicious

Rhadamanthys

45e86a4f5dc3afa62936f109963e5de85668907143af82f1db0ba1099ad60994

Rhadamanthys

612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15

Rhadamanthys

7e09cf3d09ef89b5595c70637ce9173919a61e8fc5a5fcde253762db61bf90f5

Rhadamanthys

84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f

Rhadamanthys

d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3

Rhadamanthys

e143f8559400ebe184f37d69abfe68810f88adc934e67dd9bb79f2f4491927ef

Rhadamanthys

ef2dd208f149f8ae0741c2cf4fa5270e8d54c35e161f88aad9b109c679e211a2

Rhadamanthys

+ 4'202 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection discovery spyware stealer

Link:

https://tria.ge/reports/230117-knqvashb51/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

fa58346a09da815bbfb1f0926a0605785efd40ee5bb5c39b31c8fe13bf71f395

MD5 hash:

2b7c2d562da022a21d77c28e1c9c2dde

SHA1 hash:

64a73434a5644649b37935215ff8a9d0a87a4933

Link:

https://www.unpac.me/results/2a395ff8-e8d1-4baa-8813-b1de9b700a65/

SH256 hash:

1c2845a2e347287ccace4cd74db1543aa9cf65e8d0cd27ba30ed9d5c7423ac16

MD5 hash:

3939251fe61c08f02cbd990ad6e6f10d

SHA1 hash:

f357bf96cdb6b2c235ae38edcd6d1c94c767644c

Link:

https://www.unpac.me/results/2a395ff8-e8d1-4baa-8813-b1de9b700a65/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1c2845a2e347/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1c2845a2e347287ccace4cd74db1543aa9cf65e8d0cd27ba30ed9d5c7423ac16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com