MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d
SHA3-384 hash:	8580669387965de1febb46c150d6419f409779cf80c349b6ef3a8bd15e2c4c539b04c583d141350f8d61caa86382b2bd
SHA1 hash:	060422457c194dafa447c5b92e96ad6d46dca50e
MD5 hash:	63a91428d48ffcbc3aea18385a50007c
humanhash:	six-fanta-helium-michigan
File name:	SoftwarеSеtupFilе.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	7'917'523 bytes
First seen:	2023-02-22 01:57:27 UTC
Last seen:	2023-02-22 03:28:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	7007929576eec286d477c8effcb4eaef (1 x RedLineStealer, 1 x Rhadamanthys, 1 x RaccoonStealer)
ssdeep	196608:cUd+ahhrclOlJo1KmQOAIrxbBrhvOricM4SgE92:cUdLfnfIrxF7l4SgE
Threatray	204 similar samples on MalwareBazaar
TLSH	T1958633472AC930FEDA8E1630516B9FF532F6ED760DC1083933CDB659AA737222017696
TrID	42.7% (.EXE) Win32 Executable (generic) (4505/5/1) 19.2% (.EXE) OS/2 Executable (generic) (2029/13) 19.0% (.EXE) Generic Win/DOS Executable (2002/3) 18.9% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	8038c88c8e8ee6e2 (1 x Rhadamanthys)
Reporter	Chainskilabs
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

258

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SoftwarеSеtupFilе.exe

Verdict:

Malicious activity

Analysis date:

2023-02-22 01:59:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/0f8144e8-ecc9-4b1c-ae67-82c694061a09

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/368780/

Detection(s):

SecuriteInfo.com.Variant.Babar.160842.17979.14815.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Sending a custom TCP request

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Reading critical registry keys

Unauthorized injection to a system process

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72060/overview

Behaviour

MalwareBazaar

Verdict:

Suspicious

Threat level:

5/10

Confidence:

80%

Tags:

installer overlay packed

Link:

https://www.filescan.io/uploads/63f576acd385ee58584e726d/reports/bb29c65e-6ca1-4492-95a4-6677aaa6667b/overview

Verdict:

Malicious

Labled as:

Babar.Generic

Link:

https://www.hybrid-analysis.com/sample/309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/734da1e5-4de7-4f58-9443-e8302942a19e

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1180195

Signature

Allocates memory in foreign processes

Antivirus detection for dropped file

Creates processes via WMI

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-02-22 01:58:10 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 25 (68.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gcpumqh4kgbu752sdstve4k4epwi66czy6go3ocjkof7fhe7wroq._file

Verdict:

malicious

Rhadamanthys

140f170d8b83611cb8897164be174495dc51961dc34fbccc9a714917cc341b8f

Rhadamanthys

1d80b8ed824382630f9b336695f0c03670894b9a107951c74ccc5f287a3e37c6

Rhadamanthys

320bf1b89342b15959fb29c944089d8d6e3c23108cdced1c912b0ea639000ba7

Rhadamanthys

5fc3376cb40e9e8f22785c7b90e9e2c00acff1521f65691b33d9dc07195d0e8c

Rhadamanthys

8a8bf4a261ae984007e0da758f9c8c9c609beb83041e91d036ff4ef0ed1bb328

Rhadamanthys

9c451b7e511afb61a558aea621c50f1b61efa061ddb259483261e70158a305df

Rhadamanthys

f8c0451352782c2b6efd3fd5a6d6528ab4009b4b3c46e8064c6079be792667e4

Rhadamanthys

+ 194 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection persistence stealer

Link:

https://tria.ge/reports/230222-cdtt7sbc7w/

Behaviour

Checks processor information in registry

GoLang User-Agent

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Adds Run key to start application

Executes dropped EXE

Loads dropped DLL

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d

MD5 hash:

63a91428d48ffcbc3aea18385a50007c

SHA1 hash:

060422457c194dafa447c5b92e96ad6d46dca50e

Link:

https://www.unpac.me/results/0e47eb36-8bc9-45a4-99e1-cea186dae7e9/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/309f4640fc51/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/368780/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample