MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020
SHA3-384 hash: 7713fe84c7209707759fc3293d17ce72a7ebb9d677f3b2935926dbbc52c7046c0afdbaef6c901ed8551305ab3b2a2c13
SHA1 hash: f5e4abc7a40beedd27d04842d5cac81f13ce3b1e
MD5 hash: 58d6cd985c8865d9c7c8f6c993050a61
humanhash: salami-kentucky-football-shade
File name:Installer.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:12'796'421 bytes
First seen:2023-03-06 04:48:00 UTC
Last seen:2023-03-06 06:37:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 196608:lo+xqz+AJG3s8Xdw8QROIXT0y3KtszRbkeXVAhaHSd8JgZM4z0N:lokqz+Aqftw8QRjXL6i+gVAHag2Y0N
Threatray 234 similar samples on MalwareBazaar
TLSH T13FD622F08D92FE81D7AF2D8480DC29C08C6C1B9B865D8648FCC85817EAA5654FFDD2B5
TrID 63.0% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
11.2% (.SCR) Windows screen saver (13097/50/3)
9.0% (.EXE) Win64 Executable (generic) (10523/12/4)
5.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
3.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter MalwareSearcher
Tags:exe malware Rhadamanthys


Avatar
MalwareSearcher
https://www.mediafire.com/file/7hrat9jpjqgnvdc/Installer.zip/file
pass 2022

Intelligence

File Origin
# of uploads :
2
# of downloads :
365
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2023-03-06 04:50:57 UTC
Tags:
rhadamanthys
Link:
https://app.any.run/tasks/baa16e96-3a12-4409-a104-f491b0ca849d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/371767/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.30942.8506.14689.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/6405708366e79c93ba0e18b4/reports/ffee1c28-ae2d-4268-bcc7-9d11744ad92c/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020
Result
Verdict:
MALICIOUS
Gathering data
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1187502
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Checks if the current machine is a virtual machine (disk enumeration)
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected Generic Downloader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 820378 Sample: Installer.exe Startdate: 06/03/2023 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic 2->29 31 Antivirus / Scanner detection for submitted sample 2->31 33 Yara detected RHADAMANTHYS Stealer 2->33 35 6 other signatures 2->35 7 Installer.exe 5 2->7         started        process3 file4 25 C:\Users\user\...\Jhdilvbovstrh_0.4.1.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\Installer.exe.log, ASCII 7->27 dropped 39 Encrypted powershell cmdline option found 7->39 41 Writes to foreign memory regions 7->41 43 Allocates memory in foreign processes 7->43 45 Injects a PE file into a foreign processes 7->45 11 Jhdilvbovstrh_0.4.1.exe 7->11         started        14 powershell.exe 16 7->14         started        16 InstallUtil.exe 7->16         started        18 2 other processes 7->18 signatures5 process6 signatures7 47 Query firmware table information (likely to detect VMs) 11->47 49 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 11->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->51 53 5 other signatures 11->53 20 dllhost.exe 11->20         started        23 conhost.exe 14->23         started        process8 signatures9 37 Tries to harvest and steal browser information (history, passwords, etc) 20->37
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-03-06 05:01:26 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
17 of 25 (68.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifmfa2b3sxi6cuq2awypm52ykq6pu6ois53bdtf4ekznzwwoaaqa._file
Verdict:
malicious
Similar samples:
3549e650f927dd1c2499c83577f499df00b410c1e01c4a3a0903ed67296a9473
Rhadamanthys
563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c
Rhadamanthys
7d16edee6fbccf5bcb73691b8f69113f3e80c804d66b49e71be48ef21eea30b5
Rhadamanthys
9a526794933f0eb0ff716b3b3043234169ce8747f146d73d8f0492e036cbe15a
Rhadamanthys
a8b8116afae21d9c0edaf717611b611b78d0a097c303bfbe596ec4ead69897fe
Rhadamanthys
ce52a68b5d74c63e57bb3408a98ad26b9f7e4dfb0540fe21e6acd3c2742f106f
Rhadamanthys
ce59d2ac679c36ad5169712ed75dd21494e552f8ec9334d8fb4f74f4d83ce190
Rhadamanthys
db9c2f019ca91a2166740431d64d02bfff97a9638e68e9858fb9616f2df371ea
Rhadamanthys
df66fe18ba387caa8cb295c5f35bb0a8d208ddadea7a05cef77090cc09a681b1
Rhadamanthys
fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2
Rhadamanthys
+ 224 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys evasion stealer
Link:
https://tria.ge/reports/230306-fe4mksab8x/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks for VirtualBox DLLs, possible anti-VM trick
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Checks BIOS information in registry
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
d19fc153ba9752c157f76d537479e2df80baa8ad91d540ee5e68eb601ae47dbe
MD5 hash:
fc6b7ba310c8aa06560ead0d0f3efdb1
SHA1 hash:
fed948a13a2ea4d341cf5dbf314615f9721ec09b
Link:
https://www.unpac.me/results/129cc4b9-e361-42e0-9e2f-29978d95f16b/
SH256 hash:
f5cdf1e13a987a01efe1b0fcbc3085ac1c57e854f7de31b48e5f40a94ee51b46
MD5 hash:
1ee2940ac140e0ff75d2cfbda941d2e2
SHA1 hash:
f373b5f7ba85ed05e316e294dbc7449ab16281f7
Link:
https://www.unpac.me/results/129cc4b9-e361-42e0-9e2f-29978d95f16b/
SH256 hash:
b3ae48becd2b442371210236f8198f07cd844195862db1b6ade13c6649463bb2
MD5 hash:
3167c2bf002a68941a1e5a67b6efd7b0
SHA1 hash:
a514858655e72ded06ba58d8fb735d261bc40623
Link:
https://www.unpac.me/results/129cc4b9-e361-42e0-9e2f-29978d95f16b/
SH256 hash:
415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020
MD5 hash:
58d6cd985c8865d9c7c8f6c993050a61
SHA1 hash:
f5e4abc7a40beedd27d04842d5cac81f13ce3b1e
Link:
https://www.unpac.me/results/129cc4b9-e361-42e0-9e2f-29978d95f16b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/415850683b95/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/371767/

Comments