MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391
SHA3-384 hash:	78d4338f8fdbd463f9cc887c841347da0de9c1e60e401948158ea9931bba1538ea833e5af28c2126ab0ba3a331975ae6
SHA1 hash:	a54b040fe8734abaac0a721401f0c56d810b477a
MD5 hash:	f94041cd7a8c14d02d07a7ab26c28c26
humanhash:	whiskey-winner-orange-nine
File name:	setup.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	305'664 bytes
First seen:	2023-04-24 00:25:33 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	cbb199b85bd7e99e36eb212e7f14e32a (4 x Smoke Loader, 2 x Stop, 2 x Rhadamanthys)
ssdeep	6144:GUhVOpWmHieie9ZzlWqU254G1lCBhyOz:8pLi+ZBWnhgO
Threatray	513 similar samples on MalwareBazaar
TLSH	T15754E0127AA0D873C45789714C61CBB46A3EFCA08695869B37583FBF3E312C21B77615
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	8080c090e8a84a90 (1 x Rhadamanthys)
Reporter	Chainskilabs
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

274

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-04-24 00:28:21 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/5fe3a760-0e31-445a-9a73-d35c80b41582

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Sanesecurity.Malware.29231.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a custom TCP request

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Reading critical registry keys

Searching for the window

Unauthorized injection to a system process

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/81103/overview

Behaviour

MalwareBazaar

SystemUptime

CPUID_Instruction

MeasuringTime

CheckCmdLine

EvasionGetTickCount

EvasionQueryPerformanceCounter

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/6445cc9c809528e43aaaf36d/reports/e393407a-1a07-4156-8bf3-3cf020019780/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/766d477a-1a4e-4456-87ea-1b3cea2beb81

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1219595

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-04-24 00:26:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j5hwxkatpugffhgjfcymo74kbg4kffwvkppggewkhzhnzuepgoiq._file

Verdict:

malicious

Rhadamanthys

309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d

Rhadamanthys

399bc631edb3875dab6c101d3ecc1cca2d92a188dd365714e726f6c5ce9c5582

Rhadamanthys

4099b352c15d6191c8d98a823c9b95b58baa2bc1c308f06e6697562cd21c339f

Rhadamanthys

7aadc76471387981789a8aa1d2c34ed48b79f84febe3160feea5f32c4aaaceb7

Rhadamanthys

a19a2ccfc10090a33755dd12fc2f21192e5f7143605448187433fec059216af5

Rhadamanthys

b579df3a8607cb6b251ee319bdc8c1005ca3a6ed1e360eedf2433b3f6151d856

Rhadamanthys

b9ad234abeb1490f2c2d28dd2387f0575ba5128ebb799741b1f3179622204175

Rhadamanthys

ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071

Rhadamanthys

+ 503 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230424-aq7kqaad5w/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Detect rhadamanthys stealer shellcode

Rhadamanthys

Malware Config

C2 Extraction:

http://179.43.142.201/img/favicon.png

Unpacked files

SH256 hash:

1797d67afc3879e8f47e41f157a56268a4a615f3e9b1e40c0b187a7915ee4107

MD5 hash:

9f086efa5c76a33e52fd2c925de924d3

SHA1 hash:

959399bcdd9e81bdb546f9559514dfad357f1361

Link:

https://www.unpac.me/results/84b3b27b-07b1-4716-8fa7-540062fdc3e7/

SH256 hash:

4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391

MD5 hash:

f94041cd7a8c14d02d07a7ab26c28c26

SHA1 hash:

a54b040fe8734abaac0a721401f0c56d810b477a

Link:

https://www.unpac.me/results/84b3b27b-07b1-4716-8fa7-540062fdc3e7/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4f4f6ba8137d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4f4f6ba8137d0c529cc928b0c77f8a09b8a296d553de6312ca3e4edcd08f3391

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.