MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
SHA3-384 hash: b17849fd964404f166859edf4331c779a4a4b22ea469a8feae818ebaa078d0ce22da5c18d320f0abeb5e15ec56fce469
SHA1 hash: 4f693736497e06c820b91597af84c6fece13408b
MD5 hash: 4cecb04d97630cc2d5cce80368b87fdd
humanhash: lima-whiskey-ohio-robert
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'984'512 bytes
First seen:2024-11-23 18:15:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:V9W86NOdgpqDrR07KEJkDVO0/fHNWkxRV/06UNlI/suQE:q8fCq5ukDb/1TnNKm/s
Threatray 181 similar samples on MalwareBazaar
TLSH T1AF9533ADD6D8DB36E8C55739C721F7B045B1CE14E1F9311B82423F0139B2AA4E249ABD
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
File icon (PE):PE icon
dhash icon 134313133333130e (47 x Rhadamanthys)
Reporter Bitsight
Tags:exe Rhadamanthys


Avatar
Bitsight
url: http://31.41.244.11/files/rh.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
477
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2024-11-23 18:17:34 UTC
Tags:
rhadamanthys stealer
Link:
https://app.any.run/tasks/f32e1748-7ce7-4cff-a29c-5af0bf29dd29

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.Themida.CT.gen.Eldorado.11373.5788.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67421be4b31374f09833e0a9
Tags:
spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Unauthorized injection to a recently created process
Creating a window
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
explorer lolbin microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/67421be4fbec06b76a1a8aa5/reports/ba97d406-abf3-4876-a914-c50c21f06d54/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/92eac4d5-4f11-4c4e-8f36-682205f9f223
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1561559
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-23 18:16:12 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kfuyk4fjyy36yde3ykz4u2wlp3pt26aeysny53jt5asxhfiio7oq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
cryptbot
Create hunting rule
Similar samples:
1103d24428005f23b7c88bdaafc615d1b4ed4320f3554e096712c80dfc4048f8
Rhadamanthys
1f53511b847a01a45e3d5d48f40dce79500175275dcf9606da1ee4864099ad8a
Rhadamanthys
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
Rhadamanthys
7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
Rhadamanthys
84fa854d9295a49125aaa8faeb5f5a75f7d133dbbfb4831430e20d5d3dc417ac
Rhadamanthys
8cd2db13b9e1c30d9c1e7b233f1383c54cc794c501db03d92638c5c706a094e8
Rhadamanthys
9cafa33cd3dafee4f4a02a2ad8d1a9121cfaeae6cde95f3da647cff7d3e4914d
Rhadamanthys
ae9768a3474439037f053a672ffae03608fa3e127aa9927b0127b7a22825c62a
Rhadamanthys
b0212959666982690085eeaa577fbd02d9bbb2a6ae6851a8082deb03001af485
Rhadamanthys
error
Rhadamanthys
fd65a36e69c42ab79d3511669560c83de0aad638a178029363aff56afe144911
Rhadamanthys
+ 171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery evasion
Link:
https://tria.ge/reports/241123-wwfj3szkg1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1682f489-5a3a-472f-a601-ebcc146f0e5a
Unpacked files
SH256 hash:
a60dc7153f0786d80b1aaa2eb90f612f247c67cfe49fae0a642bbcf895e6d2da
MD5 hash:
883211af4aba5eb318d2e0f91afa3f9b
SHA1 hash:
f0a0b0192cbb7d6b8ef193d422f4052f4b98891f
Link:
https://www.unpac.me/results/dac8e4e4-33b4-410e-9c59-cb9c9c9dba2d/
SH256 hash:
56bfd4c6532ddf874f0bd8eb4971b5b3072a193ce35f0a8db9977d7f01d322d6
MD5 hash:
484cbe3e0038735723d82186037a9916
SHA1 hash:
a8ebc24ee90ecd3341e86af67f8177ce986a443d
Link:
https://www.unpac.me/results/dac8e4e4-33b4-410e-9c59-cb9c9c9dba2d/
SH256 hash:
51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
MD5 hash:
4cecb04d97630cc2d5cce80368b87fdd
SHA1 hash:
4f693736497e06c820b91597af84c6fece13408b
Link:
https://www.unpac.me/results/dac8e4e4-33b4-410e-9c59-cb9c9c9dba2d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/51698570a9c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3301160/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments