MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16
SHA3-384 hash: 2365656016101c78ad189f5f964bca7ce18dd3ea54cab9beac54255a291db02a543a057acbfbc9d527e88722f06249ab
SHA1 hash: afce363ab3aaea1fc7ebc8c73d5afbac8044e648
MD5 hash: dcb295f480348248ee1ef163a5ba4df3
humanhash: coffee-indigo-fourteen-nineteen
File name:SecuriteInfo.com.Win32.PWSX-gen.19998.16259
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:15'381'216 bytes
First seen:2024-09-05 07:41:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 587d4518a31dfd413a534927e3d7e408 (1 x Rhadamanthys)
ssdeep 393216:DNApEby+tp5ZVHHBOwlmK1kIF1mrniABfmkzPn8:DNApsVB9VF3eekz/8
Threatray 1 similar samples on MalwareBazaar
TLSH T18AF633F8B662513AE903A9B3ABD7786DD240ECE12F4943DB024EDE146EB1CDD59709C0
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon e496464e398b8ee8 (5 x Stealc, 3 x Rhadamanthys, 3 x DanaBot)
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
381
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16
Verdict:
No threats detected
Analysis date:
2024-09-05 05:56:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f1c6e76d-52d1-4367-adf6-2706ef875e1e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.19998.16259.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d960cf8e12b8124ac948ad
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Searching for the window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm epmicrosoft_visual_cc fingerprint microsoft_visual_cc overlay packed
Link:
https://www.filescan.io/uploads/66d960cb88ccac59907c72c0/reports/09522ef1-adbe-4662-82c4-ed1f845e15ea/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16
Result
Verdict:
UNKNOWN
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/de13d7a4-aca1-4391-b4f5-c9acdddcc6ae
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504669
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1504669 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 05/09/2024 Architecture: WINDOWS Score: 100 32 Suricata IDS alerts for network traffic 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 9 SecuriteInfo.com.Win32.PWSX-gen.19998.16259.exe 2->9         started        process3 signatures4 48 Contains functionality to inject code into remote processes 9->48 50 Writes to foreign memory regions 9->50 52 Allocates memory in foreign processes 9->52 54 Injects a PE file into a foreign processes 9->54 12 MSBuild.exe 1 9->12         started        process5 signatures6 56 Switches to a custom stack to bypass stack traces 12->56 15 OpenWith.exe 12->15         started        19 WerFault.exe 2 12->19         started        21 WerFault.exe 2 12->21         started        process7 dnsIp8 28 109.120.135.9, 4427, 49717, 49719 INFOBOX-ASInfoboxruAutonomousSystemRU Russian Federation 15->28 30 Switches to a custom stack to bypass stack traces 15->30 23 OpenWith.exe 15->23         started        signatures9 process10 signatures11 40 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->40 42 Tries to steal Mail credentials (via file / registry access) 23->42 44 Found many strings related to Crypto-Wallets (likely being stolen) 23->44 46 2 other signatures 23->46 26 wmplayer.exe 23->26         started        process12
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16/
Threat name:
Win32.Trojan.Stealc
Create hunting rule
Status:
Malicious
First seen:
2024-09-05 05:57:00 UTC
File Type:
PE (Exe)
Extracted files:
401
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dteatqfbobolokrnqvd2ayzbinlor3qvlpqup5llhcncts3pzyla._file
Verdict:
malicious
Similar samples:
c1ad65f3412b70e4f5d5c1747cc45ae3d2f3eb86da88dff7ca530d1ddd76663d
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/240905-jjnnpswhlc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d42d5cae-6e6f-404f-aa68-7ecb6b6d6b7e
Unpacked files
SH256 hash:
daa62fbddd802e05381893bb1c3fe7a7b17efb20dc59259c2894095cc55d8513
MD5 hash:
8320f2695029204b7378d48df9f8c878
SHA1 hash:
34cbb8fef7543c26abe4cf6b432d9d6de42d836a
Link:
https://www.unpac.me/results/d0078ab7-9ffc-4e58-855f-fe5acdee0853/
SH256 hash:
1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16
MD5 hash:
dcb295f480348248ee1ef163a5ba4df3
SHA1 hash:
afce363ab3aaea1fc7ebc8c73d5afbac8044e648
Link:
https://www.unpac.me/results/d0078ab7-9ffc-4e58-855f-fe5acdee0853/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1cc809c0a170/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 1cc809c0a1705cb72a2d8547a063214356e8ee155be147f56b389a29cb6fce16

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3157420/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetStartupInfoW

Comments


Avatar
Kasibe commented on 2024-09-05 08:31:33 UTC

Rhadamanthys