MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904
SHA3-384 hash:	a9d2aa1cb4cc87bea585e40e289e71b7f166e71dee0164128d2a0e170388e80451c675ae2993458dbd1a7a81a7b98362
SHA1 hash:	1e4d62ddeb63fb6402efa812c59ab3a787282d6f
MD5 hash:	37db5181e973d4d7f9c44ff2a2b80f01
humanhash:	diet-juliet-cola-east
File name:	DHL Original Documents.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'594'384 bytes
First seen:	2023-02-14 18:24:32 UTC
Last seen:	2023-02-14 19:43:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	396c902890b802c5ec6bae321a9a9c71 (3 x Rhadamanthys, 1 x RedLineStealer, 1 x RecordBreaker)
ssdeep	24576:+fFQddjdaB8OWqN0ujXGEJUuLp2avBh4kUaOY7zEGOmth0tgo5fnv/:+tiG8OjqujXx/LgavBSkUI7yuh0tgk/
Threatray	20'973 similar samples on MalwareBazaar
TLSH	T14475DF8536723CD6F6514279166A4BE7E9200053BD722AA7B2E7D1D14ACE36C7F3A033
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	c4d2d0c9d8d8c8f9 (3 x AgentTesla, 2 x Formbook, 2 x Rhadamanthys)
Reporter	abuse_ch
Tags:	DHL exe Rhadamanthys signed

Code Signing Certificate

Organisation:	cars.com
Issuer:	GlobalSign RSA OV SSL CA 2018
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-09-30T01:51:05Z
Valid to:	2023-11-01T01:51:04Z
Serial number:	58517021882b96d7767dca2e
Intelligence:	4 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7f71b01b1c2b815d0a54b916f441d6ef8183d3c9979592945a6526678a72a392
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

202

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DHL Original Documents.exe

Verdict:

No threats detected

Analysis date:

2023-02-14 18:37:21 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/81a8a848-9b31-4a1f-92d7-4ab1c1d3b27e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/365951/

Detection(s):

SecuriteInfo.com.Variant.Zusy.449205.15749.15736.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

DNS request

Launching a process

Creating a file in the %temp% directory

Using the Windows Management Instrumentation requests

Сreating synchronization primitives

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/69778/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/63ebd20191b0e663e8f76f33/reports/d3866852-0947-4997-90fb-6e25562a33a2/overview

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ec5810ec-f778-41b7-9ad3-4ac61f83a462

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1175463

Behaviour

Behavior Graph:

n/a

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-02-13 21:15:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

22 of 39 (56.41%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=e7j5l7s7xilr5mrej4dwsjcbxy4momefa62enf32g5576f53leca._file

Verdict:

malicious

Label(s):

agenttesla

Rhadamanthys

20c94daf0506d27a6bd3de27e378fc900dd44a32328a41912d60fd26677d426d

Rhadamanthys

4033d9c9ef268cf2bdf04bb0e1c549e5461ba27026797edf70121468abbd1203

Rhadamanthys

4795e398d5dce733ecb352580be08b33ae668684856a5cf34a8cc21fa303c60e

Rhadamanthys

5f1d6d9c49024913322423dbd249144d93feab55663e1cc26fb0cdf9eb16c610

Rhadamanthys

62a868ec8c1727bcddd3954bd37e482a5584bd40b7163132738885b7deffaa4f

Rhadamanthys

6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6

Rhadamanthys

8089619c8dba1d0d3a52b272d619fd6658adc82fd4f44df48582b0d6505f673d

Rhadamanthys

b10a2b32b0de00faddaf167bef405952be39d31f0236aaedc975654ef70f6800

Rhadamanthys

f144fef878393aa69f18f5cf812ee9a62b0224ccb21936321c8f98d65c98d2f6

Rhadamanthys

+ 20'963 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:agenttesla family:rhadamanthys collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230214-w2ly2sef5x/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Loads dropped DLL

AgentTesla

Detect rhadamanthys stealer shellcode

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

e23ebf40ff02e80917955089f1441f2633003387c60f3c7c7418e67c59169962

MD5 hash:

632ecc0d142358a6066e74380fbee0f5

SHA1 hash:

9bda184b5b5009d57c7e33282525e32890242b1d

Link:

https://www.unpac.me/results/6156b820-e918-4c43-a9f0-f017d015b964/

SH256 hash:

27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

MD5 hash:

37db5181e973d4d7f9c44ff2a2b80f01

SHA1 hash:

1e4d62ddeb63fb6402efa812c59ab3a787282d6f

Link:

https://www.unpac.me/results/6156b820-e918-4c43-a9f0-f017d015b964/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/27d3d5fe5fba/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/365951/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample