MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 5 File information Comments

SHA256 hash:	3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331
SHA3-384 hash:	c04da75bbb8eb87162645e59bdbc2ed775db457a1f861be9f470195bb3d4ac9ae046df1df6a191e5966a62b27475fe22
SHA1 hash:	f3e83274b2ac15a501d00c9ec2ff85b2f4f135a4
MD5 hash:	0492a562ceee12e6db78b77aa191e267
humanhash:	nineteen-jersey-comet-arkansas
File name:	file
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'736'840 bytes
First seen:	2023-03-07 14:57:17 UTC
Last seen:	2023-03-07 18:00:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	151f536da17206958ed89113fe3ba656 (1 x Rhadamanthys)
ssdeep	49152:Qh4FhhuZD6yJ+aJLSHvg1+Bn3ceAhFkXXVS8DO2F4PNKscRDSsj5xjo0fc8VZK0R:RKze3ns8Cna
Threatray	409 similar samples on MalwareBazaar
TLSH	T14085E10C6D504120EBEC72BBC561D2A073396D76AB5940C372C66E9726266C8FCBDF39
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0d61e9d8d8f17154 (1 x Rhadamanthys)
Reporter	andretavare5
Tags:	exe Rhadamanthys signed

Code Signing Certificate

Organisation:	fruit.com
Issuer:	Go Daddy Secure Certificate Authority - G2
Algorithm:	sha256WithRSAEncryption
Valid from:	2022-10-22T18:52:40Z
Valid to:	2023-11-23T03:18:12Z
Serial number:	921ccd0c5208460a
Thumbprint Algorithm:	SHA256
Thumbprint:	813594c3059d22e7a0adc3084cd7fe8f1277faed94f65d51ea8db278310fda48
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

andretavare5

Sample downloaded from http://15.204.49.145/files/New1.exe

Intelligence

File Origin

# of uploads :

# of downloads :

241

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Suspicious activity

Analysis date:

2023-03-07 15:00:08 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/1f01c50a-2f0c-47ec-9638-b40d447f2552

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/372374/

Detection(s):

SecuriteInfo.com.Variant.Tedy.307213.992.5401.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

DNS request

Launching a process

Creating a file in the %temp% directory

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/640750fb25b93195379089d5/reports/bef8156f-eb01-41b0-a6c9-7c3ef1220246/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Mustang Panda

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2913fcfb-1f66-4834-96ba-a3436f976259

Result

Threat name:

RHADAMANTHYS, lgoogLoader

Detection:

malicious

Classification:

troj.evad.phis.bank.spyw.expl

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1188687

Signature

Allocates memory in foreign processes

Checks if the current machine is a virtual machine (disk enumeration)

Contain functionality to detect virtual machines

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Hides threads from debuggers

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected lgoogLoader

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331/

Threat name:

Win32.Ransomware.Strab

Status:

Malicious

First seen:

2023-03-07 00:54:01 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 25 (64.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hrauclvv2qsmx4u2mkdcxqwmyc5itqzme7rw6xduvdiwvax6emyq._file

Verdict:

malicious

Rhadamanthys

27d3d5fe5fba171eb2244f07692441be38c7308507b446977a377bff17bb5904

Rhadamanthys

3549e650f927dd1c2499c83577f499df00b410c1e01c4a3a0903ed67296a9473

Rhadamanthys

3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4

Rhadamanthys

3ce93785a441fb0908cf3ceed6dd1fe76a9d5133ed52ca7b278dc5d81f8fb1f0

Rhadamanthys

5d0a0c2194f2761cadcc2944ba1397950f120c1e691a8eacd185eba576a36f0d

Rhadamanthys

6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6

Rhadamanthys

9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453

Rhadamanthys

b10a2b32b0de00faddaf167bef405952be39d31f0236aaedc975654ef70f6800

Rhadamanthys

b2842c5a354d92ad4ae55a788519408ed4acc2b26cd068fb636596d6f3741c9c

Rhadamanthys

+ 399 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:lgoogloader family:rhadamanthys downloader stealer

Link:

https://tria.ge/reports/230307-sb6c8aae54/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Loads dropped DLL

Detect rhadamanthys stealer shellcode

Detects LgoogLoader payload

LgoogLoader

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

ecad10c0e5e434b93b2bb65e8d503515480ec4959198ee49ebfa64e9a92e49cb

MD5 hash:

d6fb2b2f12e094c839332dba8c059f9f

SHA1 hash:

210602d76422806f8f06f0937f0bb2a1612ae2d8

Link:

https://www.unpac.me/results/fb6fc955-44ba-4170-804c-14b1667b4943/

SH256 hash:

3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331

MD5 hash:

0492a562ceee12e6db78b77aa191e267

SHA1 hash:

f3e83274b2ac15a501d00c9ec2ff85b2f4f135a4

Link:

https://www.unpac.me/results/fb6fc955-44ba-4170-804c-14b1667b4943/

Malware family:

Vidar.A

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/3c41412eb5d4/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.96

Link:

https://yomi.yoroi.company/submissions/3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Dropped by

PrivateLoader

Delivery method

Distributed via drive-by

Cape

https://www.capesandbox.com/analysis/372374/

URLhaus

https://urlhaus.abuse.ch/url/2561815/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample