MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192
SHA3-384 hash: 38fdd27f4cc1e6654794148cd17df05a8468992e839297ff5e399c97a424b97b01a72b654de589d88d490a975e793b14
SHA1 hash: afebe09ea1516f1378b6254ee6bc927501e24c96
MD5 hash: a69e28c995425fb3d3723b45c18ac227
humanhash: friend-alaska-december-twelve
File name:setup.lnk
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'108 bytes
First seen:2024-02-20 22:44:12 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 24:8faQjmPBR1vm4pyAcPkV4+/4z+nQ6iniMsMKahavtttGrlcKOdm:8fawmpR9mup81JiMsBtvilMd
TLSH T1B41110151BD60B31D7B78D391825B722AA39BC09ED23EF1EC1B0515C4815500E431F2A
Reporter rmceoin
Tags:lnk Rhadamanthys


Avatar
rmceoin
91.92.251.35/Downloads/setup.lnk

Intelligence

File Origin
# of uploads :
1
# of downloads :
208
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
TwinWave.EvilLNK.LOLBinOddLook.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinForFilesHeartBeat.20220523.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.LOLBinOddLookPSHELL.20220711.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OddLook.202207213.UNOFFICIAL
Create hunting rule

TwinWave.EvilLNK.OtherPosition.02122024.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192/results/dashboard
Payload URLs
URL
File name
http://whitemansearch.shop/setup
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
forfiles lolbin lolbin masquerade mshta shell32
Link:
https://www.filescan.io/uploads/65d52b6f07d709033aeb02cf/reports/c1c0a21e-642a-4708-9c81-06a459e76513/overview
Verdict:
Malicious
Labled as:
Trojan.WinLNK.Agent
Link:
https://www.hybrid-analysis.com/sample/1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192
Result
Verdict:
MALICIOUS
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1395713
Signature
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Drops PE files with a suspicious file extension
Found suspicious powershell code related to unpacking or dynamic code loading
Found URL in windows shortcut file (LNK)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Windows shortcut file (LNK) contains suspicious command line arguments
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1395713 Sample: setup.lnk Startdate: 20/02/2024 Architecture: WINDOWS Score: 100 76 whitemansearch.shop 2->76 92 Malicious sample detected (through community Yara rule) 2->92 94 Antivirus detection for URL or domain 2->94 96 Windows shortcut file (LNK) starts blacklisted processes 2->96 98 8 other signatures 2->98 14 forfiles.exe 1 2->14         started        17 svchost.exe 1 2->17         started        signatures3 process4 dnsIp5 120 Windows shortcut file (LNK) starts blacklisted processes 14->120 20 powershell.exe 7 14->20         started        23 conhost.exe 1 14->23         started        74 127.0.0.1 unknown unknown 17->74 signatures6 process7 signatures8 100 Found suspicious powershell code related to unpacking or dynamic code loading 20->100 102 Powershell drops PE file 20->102 25 mshta.exe 17 20->25         started        process9 dnsIp10 84 whitemansearch.shop 5.101.153.86, 49705, 49719, 80 BEGET-ASRU Russian Federation 25->84 114 Windows shortcut file (LNK) starts blacklisted processes 25->114 116 Suspicious powershell command line found 25->116 29 powershell.exe 20 25->29         started        signatures11 process12 signatures13 118 Windows shortcut file (LNK) starts blacklisted processes 29->118 32 powershell.exe 14 48 29->32         started        35 conhost.exe 29->35         started        process14 file15 66 C:\Users\user\AppData\...\ClassroomEc.exe, PE32 32->66 dropped 37 ClassroomEc.exe 11 32->37         started        41 chrome.exe 8 32->41         started        44 WmiPrvSE.exe 32->44         started        process16 dnsIp17 68 C:\Users\user\AppData\Local\...\Producing, PE32 37->68 dropped 104 Windows shortcut file (LNK) starts blacklisted processes 37->104 106 Multi AV Scanner detection for dropped file 37->106 108 Contains functionality to register a low level keyboard hook 37->108 46 cmd.exe 1 37->46         started        49 conhost.exe 37->49         started        86 192.168.2.13 unknown unknown 41->86 88 192.168.2.15 unknown unknown 41->88 90 4 other IPs or domains 41->90 51 chrome.exe 41->51         started        file18 signatures19 process20 dnsIp21 122 Windows shortcut file (LNK) starts blacklisted processes 46->122 124 Uses ping.exe to sleep 46->124 126 Drops PE files with a suspicious file extension 46->126 128 Uses ping.exe to check the status of other devices and networks 46->128 54 Identification.pif 46->54         started        58 cmd.exe 46->58         started        60 conhost.exe 46->60         started        62 7 other processes 46->62 78 accounts.google.com 142.250.31.84, 443, 49714 GOOGLEUS United States 51->78 80 142.250.72.110 GOOGLEUS United States 51->80 82 6 other IPs or domains 51->82 signatures22 process23 file24 70 C:\Users\user\AppData\Local\...70euraLink.pif, PE32 54->70 dropped 110 Windows shortcut file (LNK) starts blacklisted processes 54->110 112 Drops PE files with a suspicious file extension 54->112 64 cmd.exe 54->64         started        72 C:\Users\user\AppData\...\Identification.pif, PE32 58->72 dropped signatures25 process26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dr2hnqz7bvlos4g37lmh3klhhhluxpizfdckardrl2tv6yphegja._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys evasion stealer trojan
Link:
https://tria.ge/reports/240220-2pdd2age45/
Behaviour
Enumerates processes with tasklist
Enumerates system info in registry
Modifies Internet Explorer settings
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Checks computer location settings
Drops startup file
Executes dropped EXE
Blocklisted process makes network request
Downloads MZ/PE file
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
UAC bypass
Malware Config
Dropper Extraction:
http://whitemansearch.shop/setup
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Download_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies download artefacts in shortcut (LNK) files.
Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Rhadamanthys

Shortcut (lnk) lnk 1c7476c33f0d56e970dbfad87da96739d74bbd1928c4a044715ea75f61e72192

(this sample)

Rhadamanthys

Executable exe bdf72e1c0964b7a7b96651b278b6f8d4b42849c01ff2aa6c6844b5ac2a893f3b

Rhadamanthys

HTML Application (hta) hta 79ae52b1bbf60846666893fa94f3a07252156d6ee385fc3bd8aab3370eea1ca7

  
Dropping
SHA256 79ae52b1bbf60846666893fa94f3a07252156d6ee385fc3bd8aab3370eea1ca7

Comments