MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

SHA256 hash:	547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605
SHA3-384 hash:	ea9e9e780c482d38421bca6b425482555b5cd7c68a080a6786f79e554420ee7a870fe7fd13a7a6fe0b1573b6a203132f
SHA1 hash:	36930668689e571914c0c77fc98dc3eb2d9f46a6
MD5 hash:	2881c642fff830480f98b5fb39905739
humanhash:	four-georgia-speaker-aspen
File name:	Order_pdf.exe
Download:	download sample
Signature	Rhadamanthys Alert Create hunting rule
File size:	511'488 bytes
First seen:	2023-07-12 10:06:28 UTC
Last seen:	2023-07-12 10:09:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	1ef9b36848c22fc248776468fce46241 (3 x RedLineStealer, 1 x Fabookie, 1 x Amadey)
ssdeep	6144:6ocLlu5i+q3m1xsgq0ncGtWoMdA3OKt+O6HAm+ThfP6c0Dqdz/Vb6eRuD7T:6LJu5OaeR0cuHKA3OKAuNOAzTRIv
Threatray	401 similar samples on MalwareBazaar
TLSH	T1E7B48C23D2927C50E965CB369E2EC3EC764EF6118F593B6D2218AE1B04B11F6C273761
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	b4f4e4ece4f4ec6c (1 x Rhadamanthys)
Reporter	Anonymous
Tags:	exe Rhadamanthys

Intelligence

---

File Origin

# of uploads :

2

# of downloads :

328

Origin country :

PL

Vendor Threat Intelligence

ANY.RUN Malicious

Malware family:

n/a

ID:

1

File name:

Order_pdf.exe

Verdict:

Malicious activity

Analysis date:

2023-07-12 10:09:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/db3794f4-45b2-4914-9538-24e90b320ee9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

CAPE Sandbox Rhadamanthys

Detection:

Rhadamanthys

Alert

Create hunting rule

Link:

https://www.capesandbox.com/analysis/416763/

ClamAV Detected

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Alert

Create hunting rule

Dr. Web vxCube Clean

Result

Verdict:

Clean

Maliciousness:

Certego Dragonfly Suspicious

Result

Malware family:

n/a

Score:

  9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/97264/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

FileScan.IO Malicious

Verdict:

Malicious

Threat level:

  10/10

Confidence:

100%

Tags:

greyware masquerade packed

Link:

https://www.filescan.io/uploads/64ae7b48730800029d38c048/reports/7ae19c54-3d82-4fe1-9894-75b722f89c91/overview

Hybrid Analysis Win/malicious_confidence_100%

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605

InQuest MALICIOUS

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Intezer Unknown

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9eeb86af-34d2-47a3-b201-7ce66f7cf3a4

Joe Sandbox RHADAMANTHYS

Result

Threat name:

RHADAMANTHYS

Alert

Create hunting rule

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1271619

Signature

C2 URLs / IPs found in malware configuration

Deletes itself after installation

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

CERT.PL MWDB

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605/

ReversingLabs TitaniumCloud Win32.Trojan.Leonem

Threat name:

Win32.Trojan.Leonem

Alert

Create hunting rule

Status:

Malicious

First seen:

2023-07-12 10:07:06 UTC

File Type:

PE (Exe)

Extracted files:

64

AV detection:

20 of 24 (83.33%)

Threat level:

  5/5

Spamhaus Hash Blocklist Suspicious file

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kr6brwqjviiriprvxo4xr5nrm2r7bry7wpjihoa2nosn3rcdqycq._file

Threatray malicious

Verdict:

malicious

Similar samples:

033bebdf818560c4eba4837b7d7f29a25a0e6876dfa958c4c1dcd8b7665e4f48

Rhadamanthys

098c9f426ab6d50a39469ef17adcf10e50b5e91ff9a7594478354098909970df

Rhadamanthys

114210ddeecbf5dd4320338e5a3c5a156841ae1390732a2b71e324f161e32932

Rhadamanthys

1eb7e20cc13f622bd6834ef333b8c44d22068263b68519a54adc99af5b1e6d34

Rhadamanthys

63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b

Rhadamanthys

73e8b7f7ff4e8cf3bb270bc8bcaccd204c104ada52e968ebd4b27fac81b401d0

Rhadamanthys

8af7fadc968927f6d8a4056e3d15808c254bbee4080985d03d377c361e467357

Rhadamanthys

bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910

Rhadamanthys

c48a7a57d515ae7471b153f2346e0286cdb5707683414d54cb8fa45553ac4087

Rhadamanthys

c99798d67cbf1e80040257eb9e68f62d966fe53443ca54e120e3a0379152ca80

Rhadamanthys

+ 391 additional samples on MalwareBazaar

Hatching Triage rhadamanthys

Result

Malware family:

rhadamanthys

Alert

Create hunting rule

Score:

  10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230712-l5m1eacg46/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Deletes itself

Detect rhadamanthys stealer shellcode

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

UnpacMe win_brute_ratel_c4_w0

Unpacked files

SH256 hash:

16b315c742e3b8d3c058cdf97105155c73777c7db57435efc050671a94b84b08

MD5 hash:

c2a0def43d6ab92d72b4ad1bd3d5c152

SHA1 hash:

060646d8c9cc265ff962dd37fa3c780feb437e1a

Detections:

win_brute_ratel_c4_w0

Alert

Create hunting rule

Link:

https://www.unpac.me/results/3f7f83b4-6c0e-4896-bf10-9f3d571866a5/

SH256 hash:

547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605

MD5 hash:

2881c642fff830480f98b5fb39905739

SHA1 hash:

36930668689e571914c0c77fc98dc3eb2d9f46a6

Link:

https://www.unpac.me/results/3f7f83b4-6c0e-4896-bf10-9f3d571866a5/

VirusTotal

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

---

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/416763/