MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368
SHA3-384 hash:	702b0280fef0b44a13b33059e5506e2fd332550e12d69b90725dc401a2579f63d6e0e636a3c6e1d61509723f33dc4378
SHA1 hash:	13214cef92635200f74f68a35e91fcaa7d83fcdd
MD5 hash:	45d4fe22891d51f31bfa2f4c986802bc
humanhash:	lactose-one-kitten-lactose
File name:	45d4fe22891d51f31bfa2f4c986802bc.exe
Download:	download sample
Signature	Rhadamanthys Alert Create hunting rule
File size:	421'376 bytes
First seen:	2023-05-08 18:26:19 UTC
Last seen:	2023-05-13 22:43:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ec3b305847682dd9c2dbedc61abf8a39 (1 x Rhadamanthys, 1 x Smoke Loader)
ssdeep	6144:w+6NrfXS17AktlYEk+fySN4nan2o0wVr920GmowUO:x6NrfUtlvk+qSNQo1z20Gml
Threatray	328 similar samples on MalwareBazaar
TLSH	T1DE947C1263E1ECE0F5264A72CE1ED7E8771FFD918E4537EB6218AA1F09B01A1C572712
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	002060c0c6632100 (1 x Rhadamanthys, 1 x Fabookie)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

272

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

45d4fe22891d51f31bfa2f4c986802bc.exe

Verdict:

Malicious activity

Analysis date:

2023-05-08 18:26:39 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/1b47a577-e360-44ac-9f57-bdb54daaedf2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Rhadamanthys

Detection:

Rhadamanthys

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/387597/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Win32.TrojanX-gen.13921.23108.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

FileScan.IO Suspicious

Verdict:

Suspicious

Threat level:

  5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64593ef71c5e671712074f57/reports/3ac741a6-9e43-4e62-9432-b4c0338c4509/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368

InQuest UNKNOWN

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Generic Malware

Malware family:

Generic Malware

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/8a74fb1d-cf93-40e3-a879-069832e02375

Joe Sandbox RHADAMANTHYS

Result

Threat name:

RHADAMANTHYS

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1228567

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368/

ReversingLabs TitaniumCloud Win32.Spyware.Rhadamanthys

Threat name:

Win32.Spyware.Rhadamanthys

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-08 18:27:07 UTC

File Type:

PE (Exe)

Extracted files:

75

AV detection:

19 of 24 (79.17%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hl5ivjli6jwg3te6nmzpg5w66tipksiszjbrjehdwzkyarh3enua._file

Threatray malicious

Verdict:

malicious

Similar samples:

25caeb36fb7ad4771b9da34ef66f247e1fd454ddac33ba35a18d01565fe8121a

Rhadamanthys

2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2

Rhadamanthys

3b9d0e62c06caeaf4244ff2fb275a1919fd9e14243fb436dce313c8d9b89faa4

Rhadamanthys

4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd

Rhadamanthys

99c1e9b26ff369764907dd0576d3ac4d9aa4db2f8a85fea23a6dd22ff6df1922

Rhadamanthys

c71c91c8c6cdb4cc17f2777a9078e0863f1e9ec76555043e85286af14fe275d4

Rhadamanthys

c7e1d534ed1a723b3aaecf3a257cf2f1bea5b46fb91b8510d9ae9523a3caf457

Rhadamanthys

ccad7b6f65bf0381e93cabfceeb6e0bc5f838a37112981733b7f719f8d90087e

Rhadamanthys

d4547527c24bd286f9218a7d165c520e53af7e17e59b475df5d14a45a4e92221

Rhadamanthys

+ 318 additional samples on MalwareBazaar

Hatching Triage rhadamanthys

Result

Malware family:

rhadamanthys

Alert

Create hunting rule

Score:

  10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230508-w3q96adh3x/

Behaviour

Detect rhadamanthys stealer shellcode

Rhadamanthys

Malware Config

C2 Extraction:

http://179.43.142.201/img/favicon.png

UnpacMe 2

Unpacked files

SH256 hash:

1797d67afc3879e8f47e41f157a56268a4a615f3e9b1e40c0b187a7915ee4107

MD5 hash:

9f086efa5c76a33e52fd2c925de924d3

SHA1 hash:

959399bcdd9e81bdb546f9559514dfad357f1361

Link:

https://www.unpac.me/results/b8124fb1-13e4-4f4c-9de2-a397e2afd0ac/

SH256 hash:

3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368

MD5 hash:

45d4fe22891d51f31bfa2f4c986802bc

SHA1 hash:

13214cef92635200f74f68a35e91fcaa7d83fcdd

Link:

https://www.unpac.me/results/b8124fb1-13e4-4f4c-9de2-a397e2afd0ac/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 3afa8aa568f26c6dcc9e6b32f376def4d0f54912ca431490e3b6558044fb2368

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2525167/

  

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/387597/