MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5
SHA3-384 hash:	0451b81da25364dd8424ae40cfe21bf239ca84065152c898289a2f51f3a3f121265c52f26f5911e8c048fa0cf75f7ca1
SHA1 hash:	1cc4b53dcd7add65fe4b11531751b43f2d7e387d
MD5 hash:	e7dfb892dbd65b0ed6fed69b20edf739
humanhash:	stream-texas-queen-winter
File name:	Notteppad_SettupX32iX64.exe
Download:	download sample
Signature	Rhadamanthys Alert Create hunting rule
File size:	292'381 bytes
First seen:	2023-01-13 04:10:20 UTC
Last seen:	2023-01-13 05:27:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d3166f552368323ac64b9f36c4fbe050 (1 x Rhadamanthys)
ssdeep	6144:x6b/9DJpBnx85mwif0odtTZGbpYByPT7lyvIcySIvF68fx6:Q/9dpBnzwYTvByPHly5VIvk8J6
Threatray	4'145 similar samples on MalwareBazaar
TLSH	T13354E194F66748B5C5072670457BABBFA1206F861E31C6A2FB567697FC33A1218C0FC2
TrID	37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 12.7% (.EXE) Win64 Executable (generic) (10523/12/4) 7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):
dhash icon	a2a9d8f88a88c9c0 (11 x SnakeKeylogger, 4 x RedLineStealer, 4 x AgentTesla)
Reporter	malware_traffic
Tags:	exe Rhadamanthys

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

200

Origin country :

US

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Notteppad_SettupX32iX64.exe

Verdict:

Malicious activity

Analysis date:

2023-01-12 19:58:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3d9a4477-3053-47bf-a194-556b1ad97e23

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352481/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.Evo-gen.8814.25448.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Reading critical registry keys

Searching for the window

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Forced system process termination

Stealing user critical data

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

anti-debug overlay packed

Link:

https://www.filescan.io/uploads/63c0d9d7aa212e9739a2591a/reports/f63c4c54-0cef-402d-adf0-2aa9a05e2e9d/overview

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Malicious

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/3baeaed5-f82d-4a06-a25e-cfa28c927c8e

Joe Sandbox RHADAMANTHYS

Result

Threat name:

RHADAMANTHYS

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1150846

Signature

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Found API chain indicative of debugger detection

Found many strings related to Crypto-Wallets (likely being stolen)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5/

ReversingLabs TitaniumCloud Win32.Spyware.Rhadamanthys

Threat name:

Win32.Spyware.Rhadamanthys

Alert

Create hunting rule

Status:

Suspicious

First seen:

2023-01-13 04:11:06 UTC

File Type:

PE (Exe)

Extracted files:

10

AV detection:

9 of 26 (34.62%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fjddp3vxjvd53pt76ehqawagxttx52dxxgxff5k362xeexgd7tkq._file

Threatray malicious

Verdict:

malicious

Similar samples:

154ca9b65ed10747abd833a0ea2a7b5135742ea3fdad1f53f006216fc7950ebf

Rhadamanthys

2a99f25f4212f53d7479bfb140c572ca9f44394fbc4817743b1338cddf95a2d6

Rhadamanthys

2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d

Rhadamanthys

84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f

Rhadamanthys

9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7

Rhadamanthys

b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956

Rhadamanthys

d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3

Rhadamanthys

dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c

Rhadamanthys

ef2dd208f149f8ae0741c2cf4fa5270e8d54c35e161f88aad9b109c679e211a2

Rhadamanthys

fb651d07bc1ee0b1676123399c358c9f3a276448b4938b46cfd2b9b701956913

Rhadamanthys

+ 4'135 additional samples on MalwareBazaar

Hatching Triage Malicious

Result

Malware family:

n/a

Score:

  8/10

Tags:

collection discovery spyware stealer

Link:

https://tria.ge/reports/230113-erx5wseb62/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

UnpacMe

Unpacked files

SH256 hash:

2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5

MD5 hash:

e7dfb892dbd65b0ed6fed69b20edf739

SHA1 hash:

1cc4b53dcd7add65fe4b11531751b43f2d7e387d

Link:

https://www.unpac.me/results/9c27d622-07c2-4a3d-8ec1-f7e5414cbf40/

VMRay Malicious

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/2a4637eeb74d/report/overview.html

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2a4637eeb74d47ddbe7ff10f005806bce77ee877b9ae52f55bf6ae425cc3fcd5

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/352481/

Comments

---

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

Brad commented on 2023-01-13 04:11:16 UTC

Carved to remove padding. Originally more than 777 MB as an inflated EXE.