MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 8

Intelligence 8 IOCs YARA 7 File information Comments

SHA256 hash:	53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647
SHA3-384 hash:	ba5e08a84ead12e739572a5d328e8f001b42c2d1e47a662ceb7e848be548cc8b75258a1e2a32e38188ef21b9355c7cc0
SHA1 hash:	ea335a57a482c34b5fe7ecc469c5c9ee8a8b6e0d
MD5 hash:	6681697f721d002e271371058b6ab63f
humanhash:	mirror-oklahoma-paris-sodium
File name:	6681697f721d002e271371058b6ab63f.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'441'792 bytes
First seen:	2023-10-06 14:15:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	b42856b54645aa24809a30270d5556cf (2 x Rhadamanthys)
ssdeep	24576:VZxCkFVRKgWS948r40OZrH+/NZhWmST7ufSKnYy3qJ8vlYAhl9kiO:HwkFVRKgWS948r40OZre/NvZS/FK33qR
Threatray	6 similar samples on MalwareBazaar
TLSH	T18865E011769088B5F6ABEFB34C78867A7C1D38D22F24C4CB2200569D7E731D25A71B6B
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	d2d108a6d26a6c74 (2 x Rhadamanthys)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

279

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.HEUR.Trojan-Downloader.Win32.Agent.gen.4410.17742.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

DNS request

Sending a custom TCP request

Sending an HTTP GET request

Launching cmd.exe command interpreter

Creating a file in the %temp% directory

Creating a process from a recently created file

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a8f9f63d-9bc3-42ec-8d69-1dbee48a6d24

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1321009

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to prevent local Windows debugging

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found hidden mapped module (file has been removed from disk)

Found malware configuration

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2023-10-06 11:24:45 UTC

File Type:

PE (Exe)

Extracted files:

107

AV detection:

14 of 36 (38.89%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kpdmvrrsjtdk2nxz7hfwykqjch2twx3ljpjkwzghm6qxrpzkmzdq._file

Verdict:

unknown

Rhadamanthys

32bdffcac86dd59e793576a5f230c54d4d1c355229dd068f396c2ca4c75ac0cd

Rhadamanthys

4a35f8134f64ad28c5fe261d7cf15256ecd758566c2ddbf4bd962925502ade41

Rhadamanthys

70eec079b5317455429f24c081b6cf29c0f04d5708c4c2b767b76172643be57e

Rhadamanthys

d838c3ff4c5bc734ce3beb0101d2902731fe1f414eae611ecb427bb66d682f71

Rhadamanthys

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/231006-rk413seg24/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Unpacked files

SH256 hash:

53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647

MD5 hash:

6681697f721d002e271371058b6ab63f

SHA1 hash:

ea335a57a482c34b5fe7ecc469c5c9ee8a8b6e0d

Link:

https://www.unpac.me/results/24c2b15f-dd64-432d-ab40-f4afeb6dfdc6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/53c6cac6324cc6ad36f9f9cb6c2a0911f53b5f6b4bd2ab64c767a178bf2a6647

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BLOWFISH_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for Blowfish constants

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample