MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551
SHA3-384 hash:	cb5e400d5052025b465f239f81006cc85e4b5ce7171f8c6beeb427a35b7b8ea859dbdde1628902b52d5c988cd311e17b
SHA1 hash:	0f1f6ed446e23551c38db12a5d61a81fe9329242
MD5 hash:	05c7aef3bfef4d322efbca5c0cd94669
humanhash:	papa-snake-washington-purple
File name:	05c7aef3bfef4d322efbca5c0cd94669.exe
Download:	download sample
Signature	Rhadamanthys Alert Create hunting rule
File size:	378'880 bytes
First seen:	2023-05-07 09:33:54 UTC
Last seen:	2023-05-13 22:40:00 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	cb0d32ad83907c8b5d9a97a27bcf3623 (2 x Rhadamanthys, 1 x Stop, 1 x Smoke Loader)
ssdeep	6144:stCzj7OQfLG0yRGR8uLDa9PewOUrk8kIinVHuxsZWL:Ss7OQfLcGR8UGdHFiH6TL
Threatray	324 similar samples on MalwareBazaar
TLSH	T10584AF137690B875E5570A318E2ACEB46E2EFC908F2567EB2B147A1F08706E1C57271F
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0020608080632100 (1 x Rhadamanthys)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

263

Origin country :

NL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

05c7aef3bfef4d322efbca5c0cd94669.exe

Verdict:

Malicious activity

Analysis date:

2023-05-07 09:35:45 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/9ac987bb-0acd-41e9-a4ad-29f63b40cbc6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Rhadamanthys

Detection:

Rhadamanthys

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/387278/

ClamAV Detected

Detection(s):

SecuriteInfo.com.Trojan.GenericKDZ.99285.23288.21314.UNOFFICIAL

Alert

Create hunting rule

Dr. Web vxCube Malware

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

greyware packed tofsee

Link:

https://www.filescan.io/uploads/6457709370f3c757d074ebd4/reports/ec71b9a0-ec53-48e8-b7ff-1934dbf5b8a0/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Generic Malware

Malware family:

Generic Malware

Alert

Create hunting rule

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/15f6dd0c-9dca-4251-b6f9-58def990f81f

Joe Sandbox RHADAMANTHYS

Result

Threat name:

RHADAMANTHYS

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1227729

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551/

ReversingLabs TitaniumCloud Win32.Spyware.Rhadamanthys

Threat name:

Win32.Spyware.Rhadamanthys

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-05-07 01:48:11 UTC

File Type:

PE (Exe)

Extracted files:

61

AV detection:

31 of 37 (83.78%)

Threat level:

  2/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hmz5ssaphxf4xt3ghrwgnlfrjgwbddgyzpxrujqdofnz35vscviq._file

Threatray malicious

Verdict:

malicious

Similar samples:

2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2

Rhadamanthys

2d46060078a180d844d5c466209b357fecab66cf3bbd01f81222bcb5cc08906f

Rhadamanthys

4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd

Rhadamanthys

4dfc1a29a46d73e82d985a6ee4b3108580b82c73e0aeb1d16cba214c2d194863

Rhadamanthys

79b320749ba393a5745d16d4e4df8eb77224b25e8eb31e062879da32e2b89043

Rhadamanthys

843ab084fec468d0322c0adfeafb43d53c5d7f70288eefd8b6f0550a952b1b7e

Rhadamanthys

c8316c6f743acbc94875145b118ec10534cb8296c808c1e14c46cb2dd662fd57

Rhadamanthys

cfbb22ccceaa89c67a1139e72f65b1139c962ff4b8f6960389a58c5844d8e9dc

Rhadamanthys

ed31aebbc0ff4d4b3eaa34321b1323f93a738f0e41e08d6dce4b8d529bf77541

Rhadamanthys

fe652f4fe8a4ff5df293201042d1ff0206e1e34541a5ada6741c75be45f88f41

Rhadamanthys

+ 314 additional samples on MalwareBazaar

Hatching Triage rhadamanthys

Result

Malware family:

rhadamanthys

Alert

Create hunting rule

Score:

  10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230507-ljszjaga6z/

Behaviour

Detect rhadamanthys stealer shellcode

Rhadamanthys

Malware Config

C2 Extraction:

http://179.43.142.201/img/favicon.png

UnpacMe 2

Unpacked files

SH256 hash:

1797d67afc3879e8f47e41f157a56268a4a615f3e9b1e40c0b187a7915ee4107

MD5 hash:

9f086efa5c76a33e52fd2c925de924d3

SHA1 hash:

959399bcdd9e81bdb546f9559514dfad357f1361

Link:

https://www.unpac.me/results/996bacf5-0970-4ce1-bf55-0e30024edc1d/

SH256 hash:

3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551

MD5 hash:

05c7aef3bfef4d322efbca5c0cd94669

SHA1 hash:

0f1f6ed446e23551c38db12a5d61a81fe9329242

Link:

https://www.unpac.me/results/996bacf5-0970-4ce1-bf55-0e30024edc1d/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

YOROI YOMI Malicious File

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 3b33d9480f3dcbcbcf663c6c66acb149ac118cd8cbef1a2603715b9df6b21551

(this sample)

  

URLhaus

https://urlhaus.abuse.ch/url/2525167/

  

Delivery method

Distributed via web download

  

URLhaus

https://urlhaus.abuse.ch/url/2519959/

Cape

https://www.capesandbox.com/analysis/387278/