MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983
SHA3-384 hash:	cf4a4a9204a751d49f575a179ba5265d5fbcd489c44d71d162a33cc263c48fe1c426f652175c0965f98ea5d8ddd09fad
SHA1 hash:	05162c86a9b7d233dfd6a554bbd5f4ee580ae1a5
MD5 hash:	7907fe8d4471135629701e65b374e698
humanhash:	nuts-papa-uniform-skylark
File name:	setup.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	361'984 bytes
First seen:	2023-03-19 13:10:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d5555405ac36a198d312d7dfaf56a1ed (41 x RedLineStealer, 11 x Amadey, 11 x Rhadamanthys)
ssdeep	6144:3uvLWAp62edcs3LbhsJNHBl+3MylwWwWSjVkplYA5zL:3uvvU2ObNiHBc8yi9WUxQL
Threatray	294 similar samples on MalwareBazaar
TLSH	T161743C5393E13D58EA268F739E1EC2E8F75EF670DE49776632189A1B04B0272C163B50
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	a0a0a0c080a08808 (1 x Rhadamanthys)
Reporter	Chainskilabs
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

217

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-03-19 13:12:13 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/8a490752-e51f-4a34-8641-c2d1209d9b23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/375643/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Launching a process

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/74083/overview

Behaviour

MalwareBazaar

CPUID_Instruction

MeasuringTime

SystemUptime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

babar greyware lockbit packed

Link:

https://www.filescan.io/uploads/641709e7da1bbe29caf90a92/reports/91d7130e-f847-4364-b60e-6965f401df71/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/a825b64a-e039-428a-859a-f60f45e25fdb

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1197067

Signature

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Early bird code injection technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2023-03-19 12:26:54 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dxkurpeuj6b4jxsfo2h4yvk4btfg5raztda3y6yn4jpgwywihgbq._file

Verdict:

malicious

Rhadamanthys

1a3f1b82d83a7127ddc70816989aa82a6cac50d06895516e7435451f31284153

Rhadamanthys

2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2

Rhadamanthys

47c2e67226dd11c86f067265c60710b05a2d22dff4e815841a1138755c5b3bf9

Rhadamanthys

4a032ce9dfb9bb82989ea0eb406deeae00778e3aef234b67a64ee713c7e7dba9

Rhadamanthys

64185e173d29c3c572c8ee4d0091aa8f500abf4c6083fd4a1596eb07420ed526

Rhadamanthys

9443a0d5ce8e1e34c5c830f49be863e6a1305b1fed46f882bcb03171414b1930

Rhadamanthys

afd1d0be379b7b5a8a46a28e68f81e388f6875410f955e8ca09dde8e228b8935

Rhadamanthys

b406d3562b067ed75aa83352f260f8499322d8bbe2fdb5e172da70e1d945a104

Rhadamanthys

b6bb34b65b43830ae0bcf3bbb87b309964924e7a8bee380652ee4e3c95a968ca

Rhadamanthys

+ 284 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys evasion stealer

Link:

https://tria.ge/reports/230319-qex5xagd98/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Looks for VMWare Tools registry key

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

8f587ff1d28f265508527a9bd1fa742426c4c6f994187bc7c78631e0f4488e1d

MD5 hash:

5b6cb2e6bc1c5e2d1a7f2b332ea87ffc

SHA1 hash:

269705a65f9c605048281a620c5c374988d2a7af

Link:

https://www.unpac.me/results/22f0af45-3a71-42ba-a3cb-8395730fbd14/

SH256 hash:

1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983

MD5 hash:

7907fe8d4471135629701e65b374e698

SHA1 hash:

05162c86a9b7d233dfd6a554bbd5f4ee580ae1a5

Link:

https://www.unpac.me/results/22f0af45-3a71-42ba-a3cb-8395730fbd14/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/1dd548bc944f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1dd548bc944f83c4de45768fcc555c0cca6ec41998c1bc7b0de25e6b62c83983

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.