MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f
SHA3-384 hash: 563f1d509131b12cabc4d790db5bf4894c2d1f05bfcd2ca6990727462528587db6f007f2f25627d9b9ad916ee77cef9e
SHA1 hash: 9ae91c69a6dbf42641de70b5b596624410a55b19
MD5 hash: a4af22756182980975f6039209bcb6c4
humanhash: california-echo-happy-sixteen
File name:a4af22756182980975f6039209bcb6c4.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:562'176 bytes
First seen:2024-03-23 07:29:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4904df65844c64eb772fc58b1bf956e (1 x Stealc, 1 x Rhadamanthys, 1 x Worm.Ramnit)
ssdeep 12288:8RRWUBcOjgPPH2yWRxwLQ+Pns8Nn1UKk0UM:8WWcOKObRxwLQMswn1UKk0UM
Threatray 134 similar samples on MalwareBazaar
TLSH T1F0C4D04272D1EC61E86287329E29C5E46A3EFC618E592B9733443F0F28F2191D673F52
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.1% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 000808680a030600 (1 x Rhadamanthys, 1 x Worm.Ramnit)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
336
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-23 07:32:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4686c12a-eb60-4922-ba6c-456122d7f60b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65fe84fb7e414bfaaebd27c4/reports/7ac084f4-1ef5-4266-a95f-1aedc8b70272/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8dde50c0-ef8f-4ef0-9c57-4fb356c4b829
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1414392
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-03-22 20:38:42 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jcgdghjymgkdsnjzmd2bij2i3lxookp3op4vgw5fkcvgzaykbr7q._file
Verdict:
malicious
Similar samples:
1fc92b44f6be765911febe55ccad61e184f84ab651f49f4e7095ffbe134e1ea2
Rhadamanthys
2bd79f3ea8e7650ef0547033c9526342d328caaf54d8a5cc0ab36f5f229e1704
Rhadamanthys
612300066252c3151883d30f69a9b287c323a4a484a35ca553c5a73d3f7d0cfc
Rhadamanthys
741a4adf79d60db1ff4d13e84129beffe78d2fd0be9e58b3b076052b121ad1b6
Rhadamanthys
b0f1d6defb63ca51dce41219e35f97ab8d89ec19c863f5b659fb8b05c1c92248
Rhadamanthys
+ 124 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240323-jbsyfsee95/
Behaviour
Program crash
Unpacked files
SH256 hash:
bc5e95f6cdf9cb5a058e8a4eed0c5f0d9b64cd30f162723263250cdb29d16338
MD5 hash:
5aa6ba16a50ec2521164b27bfb18a8a0
SHA1 hash:
ee74ea1b92a83f6df4819bb7486a88fa11e830c6
Link:
https://www.unpac.me/results/f43daccc-4b49-4159-b562-0ee99d0be52a/
SH256 hash:
488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f
MD5 hash:
a4af22756182980975f6039209bcb6c4
SHA1 hash:
9ae91c69a6dbf42641de70b5b596624410a55b19
Link:
https://www.unpac.me/results/f43daccc-4b49-4159-b562-0ee99d0be52a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2790112/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationUSER32.dll::GetUserObjectSecurity
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::FindFirstVolumeMountPointW
KERNEL32.dll::SetSystemPowerState
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::PeekConsoleInputA
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::ReadConsoleOutputCharacterA
KERNEL32.dll::SetConsoleTextAttribute
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::GetWindowsDirectoryA
KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::QueryDosDeviceW

Comments