MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
SHA3-384 hash: d90706632295762ead8723f4630ab8bfed6bdca88987e9c004045e17ead86559be5499a37b27dd218767446b535d4fee
SHA1 hash: 3f4c5725af5087b7066d53a224759b566560eb91
MD5 hash: bc8ca49fa09fa6f616708013d9211992
humanhash: table-delaware-paris-ceiling
File name:bc8ca49fa09fa6f616708013d9211992.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'286'016 bytes
First seen:2023-08-08 07:06:07 UTC
Last seen:2023-08-24 15:48:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 49152:ZZvrmWKGDNB7G87UOZ0rFiNkSoVm+/2B72UzNyFcrOaZ+rgI0qi/8LqKX:ZZRNlUOyr1Su/RUgkYgI9
Threatray 202 similar samples on MalwareBazaar
TLSH T118E5E00BBA4F8DA1D3467776C59F050C0BAEDB853227D73F798E235925037BA9A09207
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
301
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
bc8ca49fa09fa6f616708013d9211992.exe
Verdict:
Malicious activity
Analysis date:
2023-08-08 07:16:42 UTC
Tags:
rhadamanthys stealer zgrat backdoor
Link:
https://app.any.run/tasks/125a0bc7-1fce-448f-b444-4fc91c2ef486

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441226/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.1422.23860.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Restart of the analyzed sample
Creating a file
Using the Windows Management Instrumentation requests
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Sending a TCP request to an infection source
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
azorult packed
Link:
https://www.filescan.io/uploads/64d1e9974154db2bd52168b3/reports/eea7db7a-8bb2-4349-a935-b5d3557d6b26/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a281440b-0a33-40af-ba1f-1641360dba04
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1287487
Signature
Antivirus detection for dropped file
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1287487 Sample: clKx5Ep2e4.exe Startdate: 08/08/2023 Architecture: WINDOWS Score: 100 37 prakitik.ug 2->37 39 parals.ac.ug 2->39 41 nickshort.ug 2->41 53 Snort IDS alert for network traffic 2->53 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 6 other signatures 2->59 9 clKx5Ep2e4.exe 5 2->9         started        13 MethodBase.exe 2 2->13         started        signatures3 process4 file5 35 C:\Users\user\AppData\Local\...\Blenjbw.exe, PE32 9->35 dropped 69 Injects a PE file into a foreign processes 9->69 15 clKx5Ep2e4.exe 1 9->15         started        18 Blenjbw.exe 3 9->18         started        71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 signatures6 process7 dnsIp8 43 91.103.252.25, 4681, 49715, 49716 HOSTGLOBALPLUS-ASRU Russian Federation 15->43 21 certreq.exe 1 15->21         started        45 Multi AV Scanner detection for dropped file 18->45 47 Machine Learning detection for dropped file 18->47 49 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->49 51 Injects a PE file into a foreign processes 18->51 25 Blenjbw.exe 5 18->25         started        signatures9 process10 file11 29 C:\Users\user\AppData\Local\...\p]p5.exe, PE32+ 21->29 dropped 31 C:\Users\user\AppData\Local\...\752h`x1.exe, PE32 21->31 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->61 63 Tries to steal Mail credentials (via file / registry access) 21->63 65 Tries to harvest and steal browser information (history, passwords, etc) 21->65 67 2 other signatures 21->67 27 conhost.exe 21->27         started        33 C:\Users\user\AppData\...\MethodBase.exe, PE32 25->33 dropped signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 17:56:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fh22qyuzq3nawsrvhzkch6zzyuc4xj6anz5kjnneakofuftjv2kq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
Rhadamanthys
05c4f71a5caa0ed6809fdfa57b44836f5ee6408d73f6b97cd9a751b696091101
Rhadamanthys
1c758992ed57930115ba585a43bc0a7a750a476206cf1999bf3333f26fc230f2
Rhadamanthys
2dc6a762fbcc017cddee0b0099ffcc61af6336f4444e911997e4af2635c8f183
Rhadamanthys
4750dfff318bcf5ba7bf432cc40a868140a07b6f3d1a8114bdd625a762799703
Rhadamanthys
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
Rhadamanthys
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee
Rhadamanthys
a68cd42b12ffb9ca676649961481f4f0f825db7cddda46f1d20f160c4ca7b0df
Rhadamanthys
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
Rhadamanthys
+ 192 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/230808-hxmswscf6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
e78a5c1e312819ade3eceb44ac2ae5e8b2690d4c5f32b6244913068534d1d9a5
MD5 hash:
ad4017460a4ee7fff83678b615f9e344
SHA1 hash:
a0e801fc0402b40e6922bd0c8289457ced8746a3
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
4ecb303a32cc1b92b9b6c3ebffe28edf59cfd71f78a6dbf2d15cc8efec3d3f23
MD5 hash:
daf465ec53a91eba3886582f4c42c191
SHA1 hash:
8626cdb413be6a01b7582610e5dcfdba19e8fb1a
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
9ac6eb302b3a3f68fb578465a112d7bdac08ff378da4a6dd6767dd2d815b2e25
MD5 hash:
71bf32ba62764bc702b3bc436a42ac56
SHA1 hash:
613e8dac974c85430c1acc3c065194e39cdeabd3
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
85f3835560cb6ab922dddafd1db37ad71c5ccdfa9308d00a81ec3b274d6e3b52
MD5 hash:
39b3b4b5715cc4fae7cf0b7e99c8b098
SHA1 hash:
9fdb70888d911ee72f9eab1e40749cc0a949304d
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
99f0dbbec7b9dcebca18e14b8fa71637d1c89060cfd1353339ee6bea05c64109
MD5 hash:
d50f8ee88685301561a72f316e3e0ecf
SHA1 hash:
2ca44813b539ec34ee2425186d0ca28266a93994
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
eff3771461ab2c32417d379a9756b7ef11c5ce8d5f069e107c806b91566b2a0b
MD5 hash:
367cb2775909133b302f4728110a99c3
SHA1 hash:
2092bc712052f4223de7c778e34dc36dcac31372
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
cbcb2f3ad7846df4c8f0f8101f95be8ce77dd9fa8f7634a54a64b9f14602c30c
MD5 hash:
27bd03345a879ab3f02942fcdad2c599
SHA1 hash:
fe403fd07ba6dc32afbaf36fba40508645b20281
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
272a214098e62cbf36f10a13fe9beac83b3d97dae0295efe12c88098a19838f0
MD5 hash:
45efa53d88c6286a948319c968c1ed1d
SHA1 hash:
c1ba07a99836cffd0a6efb43ac238123fa984529
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
b105e4b391da48fbffd413fe3b9353ba3b57d71c9ec1d82312583b255f275f6d
MD5 hash:
b724daf84f6372b24f743dfc9f841ee0
SHA1 hash:
6f2e90513b9f665633bcb0614b2378c3b56d0f2d
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
a0d560599f7d4d57f6ddb39e8756da621dc1caf8ed9e116074d883f97f37f97c
MD5 hash:
3aed00542744869d6bbc9d8e8bd11863
SHA1 hash:
011fcdff1b3e43be3ed939316194ed0bc8aeeebb
Detections:
RhadamanthysLoader
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
SH256 hash:
29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95
MD5 hash:
bc8ca49fa09fa6f616708013d9211992
SHA1 hash:
3f4c5725af5087b7066d53a224759b566560eb91
Link:
https://www.unpac.me/results/0525ded0-d54f-4221-81dc-9cf6a51378a0/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/29f5a8629986/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_bruteratel_syscall_hashes_oct_2022
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/2506772/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/2627575/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/2627573/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2654454/
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/2577943/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
Cape
Cape
https://www.capesandbox.com/analysis/441226/

Comments