MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a3be4d63ea60273d2a4eda55d735e5f5066d564b9512ef0852e075e684bdd46. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Rhadamanthys


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments

SHA256 hash: 3a3be4d63ea60273d2a4eda55d735e5f5066d564b9512ef0852e075e684bdd46
SHA3-384 hash: 93dbec71d009b915af8ec7254b0de182e45c70ee2a6aa327a24560d2c7a9de6abedaef9b7b74c1666b703fae8d3d73b3
SHA1 hash: 5febed4da5b50050861d383b18e1f39da46db117
MD5 hash: 279a95fafae69357deaea9e7597cb30b
humanhash: ten-bakerloo-pluto-florida
File name:Faersafe_setup.exe
Download: download sample
Signature Rhadamanthys
File size:65'704'512 bytes
First seen:2025-02-15 14:08:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (587 x GuLoader, 130 x RemcosRAT, 84 x EpsilonStealer)
ssdeep 1572864:vzk0qbeCQptPAujM/hqDkJO3Tre6+dupOrmU:vzDqbdQptk5qDgO3ve6+dupOaU
TLSH T193E733D00BCFD50ECA08E8B99783602FB54E37E2F8F48E599595627F6D61E8ACC04527
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon 80fe0e86fe06df0b (2 x Rhadamanthys)
Reporter SquiblydooBlog
Tags:Atlas Care Homes Limited exe Rhadamanthys signed

Code Signing Certificate

Organisation:Atlas Care Homes Limited
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2024-12-18T12:45:32Z
Valid to:2025-12-18T12:45:32Z
Serial number: 5620cb4e2216d472159087aab6485186
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Cert Graveyard Blocklist:This certificate is on the Cert Graveyard blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 606937a60defd1d19183a5dd45a74e67298ee645f1a9b52ba60d2fdd2d2216e4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
433
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Faersafe_setup.exe
Verdict:
No threats detected
Analysis date:
2025-01-31 16:38:28 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Creating a process from a recently created file
Creating a window
Searching for synchronization primitives
Unauthorized injection to a recently created process
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Changing a file
Connection attempt
Sending an HTTP GET request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context blackhole installer microsoft_visual_cc obfuscated overlay signed
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
66 / 100
Signature
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Drops large PE files
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1615828 Sample: Faersafe_setup.exe Startdate: 15/02/2025 Architecture: WINDOWS Score: 66 67 x.ns.gin.ntt.net 2->67 69 voicesharped.com 2->69 71 15 other IPs or domains 2->71 89 Suricata IDS alerts for network traffic 2->89 91 Malicious sample detected (through community Yara rule) 2->91 93 Connects to many ports of the same IP (likely port scanning) 2->93 11 Faersafe_setup.exe 180 2->11         started        signatures3 process4 file5 57 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 11->57 dropped 59 C:\Users\user\AppData\Local\...\System.dll, PE32 11->59 dropped 61 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 11->61 dropped 63 14 other files (none is malicious) 11->63 dropped 99 Drops large PE files 11->99 15 Faersafe.exe 54 11->15         started        signatures6 process7 dnsIp8 87 95.216.224.46, 49877, 49885, 80 HETZNER-ASDE Germany 15->87 53 C:\games\DDR5_NetCache\qtZint.exe, PE32 15->53 dropped 55 C:\games\DDR5_NetCachextractJPEGcmd.exe, PE32 15->55 dropped 19 explorer.exe 54 1 15->19 injected 21 Faersafe.exe 9 15->21         started        24 qtZint.exe 2 15->24         started        26 4 other processes 15->26 file9 process10 dnsIp11 28 svchost.exe 19->28         started        32 svchost.exe 19->32         started        34 MSBuild.exe 19->34         started        73 162.159.61.3, 443, 49933 CLOUDFLARENETUS United States 21->73 75 chrome.cloudflare-dns.com 172.64.41.3, 443, 49932 CLOUDFLARENETUS United States 21->75 process12 dnsIp13 79 ntp.time.nl 94.198.159.14 SIDNNL Netherlands 28->79 81 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 28->81 85 4 other IPs or domains 28->85 101 Tries to harvest and steal browser information (history, passwords, etc) 28->101 36 wmprph.exe 28->36         started        39 chrome.exe 28->39         started        42 msedge.exe 28->42         started        83 45.91.193.85 HOSTCRAMHostCramLLCUS Germany 32->83 103 System process connects to network (likely due to code injection or exploit) 32->103 105 Switches to a custom stack to bypass stack traces 32->105 44 WerFault.exe 34->44         started        signatures14 process15 dnsIp16 95 Writes to foreign memory regions 36->95 97 Allocates memory in foreign processes 36->97 46 dllhost.exe 36->46         started        77 239.255.255.250 unknown Reserved 39->77 48 chrome.exe 39->48         started        51 msedge.exe 42->51         started        signatures17 process18 dnsIp19 65 127.0.0.1 unknown unknown 48->65
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence privilege_escalation stealer
Behaviour
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Uses Task Scheduler COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Program Files directory
Drops file in System32 directory
Checks installed software on the system
Installs/modifies Browser Helper Object
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Downloads MZ/PE file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Author:malware-lu
Rule name:NETexecutableMicrosoft
Author:malware-lu
Rule name:PE_Digital_Certificate
Author:albertzsigovits
Rule name:pe_imphash
Rule name:reverse_http
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:Windows_Trojan_Donutloader_f40e3759
Author:Elastic Security

File information


The table below shows additional information about this malware sample such as delivery method and external references.

BLint


The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetFileSecurityW
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments