MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhysida


Vendor detections: 16


Intelligence 16 IOCs YARA 14 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595
SHA3-384 hash: 65ee50741cd56fad53fd3fc077e9c35d96c9b3e5382da4ca59b1c6d1a0fa4f850a360ea8bb5154bdc40d5733c659c630
SHA1 hash: c1d41db1662289870d9b0172c53612b8a346a0e3
MD5 hash: 44c7d18633b5741db270a6bd378b6f3c
humanhash: oxygen-carolina-carbon-pip
File name:258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595
Download: download sample
Signature Rhysida
Create hunting rule
File size:428'032 bytes
First seen:2024-10-02 09:31:01 UTC
Last seen:2025-04-12 13:47:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 515a3064a47ad1391d1e2cc2ed69a98b (12 x Rhysida)
ssdeep 6144:SOoLbiZZB2FpUJISUgJBJWR7UGRMFDLkSAGAR1LhT:cy9Z4R7iLBJAR1
Threatray 3 similar samples on MalwareBazaar
TLSH T171948D2BE7E350BDC127907487876673A571BC490230E96B13D4DAB06F629A07BEF721
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10523/12/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter JAMESWT_WT
Tags:exe Rhysida

Intelligence

File Origin
# of uploads :
2
# of downloads :
209
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fefb96c8-f9c9-497f-7db6-cc3b0ce05ca1.zip
Verdict:
No threats detected
Analysis date:
2024-08-26 11:03:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7855bbcf-e000-4340-adcc-d0bf4a7eb5bf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Ransomware.Rhysida-10007205-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fd12dd780a9b632d2276ea
Tags:
Powershell Ransomware Encoder Blic
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file
Replacing files
Changing a file
Modifies multiple files
Replacing executable files
Modifying an executable file
Creating a file in the %temp% directory
Moving a file to the %temp% directory
Creating a file in the %AppData% directory
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a file in the mass storage device
Encrypting user's files
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug cmd crypto expand filecoder lolbin mingw packed rhysida rundll32 tor
Link:
https://www.filescan.io/uploads/66fd12db168559661d51a0e9/reports/e4456b91-8714-4988-92f2-ffcc478444a2/overview
Verdict:
Malicious
Labled as:
Ransom.Rhysida.Generic
Link:
https://www.hybrid-analysis.com/sample/258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Rhysida
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0c869b7c-6a63-4a2d-b036-342e305aa4cd
Result
Threat name:
Rhysida
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1524005
Signature
AI detected suspicious sample
Changes the wallpaper picture
Found API chain indicative of debugger detection
Multi AV Scanner detection for submitted file
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Writes many files with high entropy
Yara detected Rhysida Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524005 Sample: eEu5xPVQUo.exe Startdate: 02/10/2024 Architecture: WINDOWS Score: 80 74 x1.i.lencr.org 2->74 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected Rhysida Ransomware 2->88 90 AI detected suspicious sample 2->90 10 eEu5xPVQUo.exe 1001 2->10         started        14 Acrobat.exe 72 2->14         started        signatures3 process4 file5 66 C:\ProgramData\...\MpAsDesc.dll.mui.rhysida, DOS 10->66 dropped 68 C:\ProgramData\...\mpuxagent.dll.mui.rhysida, COM 10->68 dropped 70 C:\ProgramData\...\mpavdlta.vdm.rhysida, DOS 10->70 dropped 72 502 other files (497 malicious) 10->72 dropped 92 Uses cmd line tools excessively to alter registry or file data 10->92 94 Found API chain indicative of debugger detection 10->94 96 Writes many files with high entropy 10->96 16 cmd.exe 10->16         started        19 cmd.exe 10->19         started        21 cmd.exe 10->21         started        25 7 other processes 10->25 23 AcroCEF.exe 14->23         started        signatures6 process7 signatures8 80 Suspicious powershell command line found 16->80 82 Uses cmd line tools excessively to alter registry or file data 16->82 27 cmd.exe 16->27         started        30 conhost.exe 16->30         started        32 cmd.exe 19->32         started        34 conhost.exe 19->34         started        36 cmd.exe 21->36         started        38 conhost.exe 21->38         started        40 AcroCEF.exe 23->40         started        43 cmd.exe 25->43         started        45 11 other processes 25->45 process9 dnsIp10 47 reg.exe 27->47         started        98 Uses cmd line tools excessively to alter registry or file data 32->98 49 reg.exe 32->49         started        100 Suspicious powershell command line found 36->100 52 powershell.exe 36->52         started        76 52.202.204.11, 443, 49731 AMAZON-AESUS United States 40->76 78 96.17.64.189, 443, 49732 AKAMAI-ASUS United States 40->78 54 reg.exe 43->54         started        56 reg.exe 45->56         started        58 reg.exe 45->58         started        60 reg.exe 45->60         started        62 2 other processes 45->62 signatures11 process12 signatures13 84 Changes the wallpaper picture 49->84 64 conhost.exe 52->64         started        process14
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595/
Threat name:
Win64.Ransomware.Rhysida
Create hunting rule
Status:
Malicious
First seen:
2023-08-03 07:45:15 UTC
File Type:
PE+ (Exe)
AV detection:
31 of 38 (81.58%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ewg526dfllafq73e24kg4ususek3m5dfgawazpivudf2orxqkwkq._file
Verdict:
malicious
Label(s):
rhysidaransomware
Create hunting rule
Similar samples:
a864282fea5a536510ae86c77ce46f7827687783628e4f2ceb5bf2c41b8cd3c6
Rhysida
Result
Malware family:
rhysida
Create hunting rule
Score:
  10/10
Tags:
family:rhysida credential_access defense_evasion discovery execution ransomware spyware stealer
Link:
https://tria.ge/reports/241002-lg2tnasgpc/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Browser Information Discovery
Hide Artifacts: Ignore Process Interrupts
Sets desktop wallpaper using registry
Hide Artifacts: Hidden Window
Indicator Removal: File Deletion
Credentials from Password Stores: Windows Credential Manager
Drops startup file
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Renames multiple (731) files with added filename extension
Detect Rhysida ransomware
Rhysida
Verdict:
Malicious
Tags:
ransomware rhysida
YARA:
MALWARE_Win_Rhysida
Link:
https://app.threat.zone/submission/ece10f06-d16a-46d8-b137-b9dfc3bbddc3
Unpacked files
SH256 hash:
258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595
MD5 hash:
44c7d18633b5741db270a6bd378b6f3c
SHA1 hash:
c1d41db1662289870d9b0172c53612b8a346a0e3
Detections:
win_rhysida_auto
Create hunting rule
MALWARE_Win_Rhysida
Create hunting rule
Link:
https://www.unpac.me/results/c07d1bb0-c272-4fac-bc5c-4ad9f2a6c385/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/258ddd78655ac0587f64d7146e52549115b67465302c0cbd15a0cba746f05595

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:MALWARE_Win_Rhysida
Create hunting rule
Author:ditekSHen
Description:Detects Rhysida ransomware
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:win_rhysida_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.rhysida.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::GetFileAttributesA
WIN_CRYPT_APIUses Windows Crypt APIADVAPI32.dll::CryptAcquireContextA
ADVAPI32.dll::CryptGenRandom

Comments