MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020
SHA3-384 hash:	5da99fec62d1ac9019ac9a2fd9c0b726bf3a31ed8d586516541856f59e6a4c90a78967328a93f0dfda34c614540ac256
SHA1 hash:	26b883eb1af62dcaf5c0d5c20ab0cd281309f04d
MD5 hash:	7f74098f87d5a070e59b03ca9b042fe8
humanhash:	crazy-friend-saturn-robert
File name:	SecuriteInfo.com.Variant.Barys.38877.15119.29362
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	7'639'552 bytes
First seen:	2023-06-30 16:54:47 UTC
Last seen:	2023-06-30 17:48:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	196608:uJJwSGQtuwVvZnfEJuoblq82iYD4ehf31sD:xSTzo5q81ga
TLSH	T15376AD07B6D7BFB1C3481B3EC79716342B78D5C1B313D79A6A8A13EA09C37AA9944107
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	SecuriteInfoCom
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Barys.38877.15119.29362

Verdict:

Malicious activity

Analysis date:

2023-06-30 16:56:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0e5b74ad-7e4c-4d6b-9505-f64a41101294

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/404348/

Detection(s):

SecuriteInfo.com.Variant.Barys.38877.15119.29362.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/649f08f6204315fbc16bda3d/reports/c284c38b-4e81-4299-80ee-8608807d51b2/overview

Verdict:

Malicious

Labled as:

Barys.Generic

Link:

https://www.hybrid-analysis.com/sample/23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020

Result

Verdict:

MALICIOUS

Gathering data

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1264080

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected Costura Assembly Loader

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020/

Threat name:

ByteCode-MSIL.Trojan.Barys

Status:

Malicious

First seen:

2023-06-28 22:59:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

14 of 37 (37.84%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=eoxrnu6ggnz6fztysoaxqjls6oync77hlb7sioqqbrqsh2q6gaqa._file

Verdict:

malicious

Result

Malware family:

n/a

Score:

10/10

Tags:

collection

Link:

https://tria.ge/reports/230630-ve6jhafa3t/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Drops file in System32 directory

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

942fa92c3747801832ecaf2333095a8a54b8b642b0c060de2512d129341def80

MD5 hash:

26c91fdcc1035e19a15a959cb90f0830

SHA1 hash:

1f9fb17548ef90117150e0b33f25790c60353271

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

6fe7dcbd7fd4a32d308a99bba8bfd6568e74970128f21fec568486cf0979d7b9

MD5 hash:

9b4075635a322a7eb73f6ef2797f880f

SHA1 hash:

d984cdc4b8b6815227e60e0ed4ee00ad8081b2e8

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

f476001233af66255144e855fb381f75f7a5683f60ff2abc762abdc97e5aadf2

MD5 hash:

46260d590d84f95be29e059dfdff9a62

SHA1 hash:

a17fa5be17e9d915aff3639c7a9cb28c4d064b5a

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

a956e1268677524b92981e17d099c440d8488ab5eab171bed4cc0d5c500c8bd5

MD5 hash:

3d79d1c83d793f0d0835d50dcd2af553

SHA1 hash:

9604b49b65d22d70ed20bbbb6623b6dd405f1a43

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

942fa92c3747801832ecaf2333095a8a54b8b642b0c060de2512d129341def80

MD5 hash:

26c91fdcc1035e19a15a959cb90f0830

SHA1 hash:

1f9fb17548ef90117150e0b33f25790c60353271

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

942fa92c3747801832ecaf2333095a8a54b8b642b0c060de2512d129341def80

MD5 hash:

26c91fdcc1035e19a15a959cb90f0830

SHA1 hash:

1f9fb17548ef90117150e0b33f25790c60353271

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

942fa92c3747801832ecaf2333095a8a54b8b642b0c060de2512d129341def80

MD5 hash:

26c91fdcc1035e19a15a959cb90f0830

SHA1 hash:

1f9fb17548ef90117150e0b33f25790c60353271

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

6fe7dcbd7fd4a32d308a99bba8bfd6568e74970128f21fec568486cf0979d7b9

MD5 hash:

9b4075635a322a7eb73f6ef2797f880f

SHA1 hash:

d984cdc4b8b6815227e60e0ed4ee00ad8081b2e8

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

6fe7dcbd7fd4a32d308a99bba8bfd6568e74970128f21fec568486cf0979d7b9

MD5 hash:

9b4075635a322a7eb73f6ef2797f880f

SHA1 hash:

d984cdc4b8b6815227e60e0ed4ee00ad8081b2e8

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

6fe7dcbd7fd4a32d308a99bba8bfd6568e74970128f21fec568486cf0979d7b9

MD5 hash:

9b4075635a322a7eb73f6ef2797f880f

SHA1 hash:

d984cdc4b8b6815227e60e0ed4ee00ad8081b2e8

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

f476001233af66255144e855fb381f75f7a5683f60ff2abc762abdc97e5aadf2

MD5 hash:

46260d590d84f95be29e059dfdff9a62

SHA1 hash:

a17fa5be17e9d915aff3639c7a9cb28c4d064b5a

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

a956e1268677524b92981e17d099c440d8488ab5eab171bed4cc0d5c500c8bd5

MD5 hash:

3d79d1c83d793f0d0835d50dcd2af553

SHA1 hash:

9604b49b65d22d70ed20bbbb6623b6dd405f1a43

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

f476001233af66255144e855fb381f75f7a5683f60ff2abc762abdc97e5aadf2

MD5 hash:

46260d590d84f95be29e059dfdff9a62

SHA1 hash:

a17fa5be17e9d915aff3639c7a9cb28c4d064b5a

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

f476001233af66255144e855fb381f75f7a5683f60ff2abc762abdc97e5aadf2

MD5 hash:

46260d590d84f95be29e059dfdff9a62

SHA1 hash:

a17fa5be17e9d915aff3639c7a9cb28c4d064b5a

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

a956e1268677524b92981e17d099c440d8488ab5eab171bed4cc0d5c500c8bd5

MD5 hash:

3d79d1c83d793f0d0835d50dcd2af553

SHA1 hash:

9604b49b65d22d70ed20bbbb6623b6dd405f1a43

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

a956e1268677524b92981e17d099c440d8488ab5eab171bed4cc0d5c500c8bd5

MD5 hash:

3d79d1c83d793f0d0835d50dcd2af553

SHA1 hash:

9604b49b65d22d70ed20bbbb6623b6dd405f1a43

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

SH256 hash:

23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020

MD5 hash:

7f74098f87d5a070e59b03ca9b042fe8

SHA1 hash:

26b883eb1af62dcaf5c0d5c20ab0cd281309f04d

Link:

https://www.unpac.me/results/8014e400-b590-4f64-abd7-6fcc85aafa7d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/404348/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample