MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments 1

SHA256 hash:	2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc
SHA3-384 hash:	c057a61b78abaea3e08c4b7b3b1ea8848ad7da2e3ab2e2f153671a3390ff0068d7c7bbf48c2353933eaff232f09716f4
SHA1 hash:	a9949c279158afa82dfd7d024c53b8f459281392
MD5 hash:	ff6ccdba300d5de39bcf38eee046f50c
humanhash:	six-uniform-cola-island
File name:	ff6ccdba300d5de39bcf38eee046f50c
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	403'968 bytes
First seen:	2023-06-10 13:26:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	1ae6a0bd2b3474999b5de4e1a6bdc1d5 (1 x Rhadamanthys)
ssdeep	6144:r/GE2mMcbNJ7qjUCG9FGUE1EMc+m1B383kgR72LrtH0hvvuWdiH5KhWV:LGE2mMcbNJ3CMFS5c+mkartavvuWdin
TLSH	T1DA84F1C4BAA1C03EE1A745385935D6B0AB7FB433E675C94F23D4026E4D312C2AADD762
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0070c0b030301800 (1 x Rhadamanthys)
Reporter	zbetcheckin
Tags:	32 exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

372

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ff6ccdba300d5de39bcf38eee046f50c

Verdict:

No threats detected

Analysis date:

2023-06-10 13:29:18 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6534204a-4dc5-4257-8140-eab09b6e37bd

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/397626/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/90208/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64847a2d419625397aa1e92f/reports/6dedaaa2-02e4-471a-92e8-8d08b4039fd1/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/baf9f92e-f3c4-41a6-a5e6-4b271ed8cc42

Result

Threat name:

n/a

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1252371

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc/

Threat name:

Win32.Trojan.RedLine

Status:

Malicious

First seen:

2023-06-10 13:27:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=f24j5gms3b4gwecdyjyvg7lcjny4ifw4jyyj5n3ccrr6iox5vx6a._file

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/230610-qp34xafg2w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

Unpacked files

SH256 hash:

d1afbe6cec2655bf02afbe8c5734ecfbe073e09d79c6ede6b568f85c09c39944

MD5 hash:

d1cff64693e55aa632339be3bf803c3f

SHA1 hash:

6829848b14d80cf670c0a1561c0578056f39d468

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/622d49ed-3129-4cbe-a2b7-dce7cf8691de/

SH256 hash:

2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc

MD5 hash:

ff6ccdba300d5de39bcf38eee046f50c

SHA1 hash:

a9949c279158afa82dfd7d024c53b8f459281392

Link:

https://www.unpac.me/results/622d49ed-3129-4cbe-a2b7-dce7cf8691de/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2eb89e9992d8786b1043c271537d624b71c416dc4e309eb7621463e43afdadfc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	Windows_Trojan_Smokeloader_3687686f Create hunting rule
Author:	Elastic Security

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.