MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c
SHA3-384 hash:	4ba240637ed3f4aa5cb830af84b13f481d659978ecd1e7db7e3af6ab56542c0743916670e16bb4cdddac0646b8a5dc25
SHA1 hash:	d0b477cf1d81182a2c0357432bd6b3e7a2bc43d4
MD5 hash:	27e018559bc0216c98fb188d3a3a8209
humanhash:	bacon-bacon-oranges-skylark
File name:	SecuriteInfo.com.Variant.Zusy.448594.20833.28207
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	183'808 bytes
First seen:	2023-02-24 13:36:13 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f214c5f744673db93dec4b219265fbc2 (11 x Rhadamanthys)
ssdeep	3072:bwevYpKTDMDUqfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8mlu3wB4HzlrzPOefxoEBK7
Threatray	213 similar samples on MalwareBazaar
TLSH	T17F04E118B2D1C0B5E99B023158BCCA7729FD3E5B8BB0DA47779C19C75D312B896292C3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	SecuriteInfoCom
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

211

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SecuriteInfo.com.Variant.Zusy.448594.20833.28207

Verdict:

Malicious activity

Analysis date:

2023-02-24 13:48:20 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/ccdc1c19-8d67-4b5b-ac20-0095ef0afd25

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369459/

Detection(s):

SecuriteInfo.com.Variant.Zusy.448594.20833.28207.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Reading critical registry keys

Unauthorized injection to a system process

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware shell32.dll zusy

Link:

https://www.filescan.io/uploads/63f8bd80589e1e4c5bd8b681/reports/f8a20869-9426-40e8-8948-17b5bece603b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2a93f415-a846-4d3e-8911-884873325764

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1181951

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-02-24 13:37:07 UTC

File Type:

PE (Exe)

AV detection:

20 of 25 (80.00%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ky2frugtlu7eu6ajmmeasiu7xyuxp2v6xbrzz23hoqtdbdavni6a._file

Verdict:

malicious

Rhadamanthys

140f170d8b83611cb8897164be174495dc51961dc34fbccc9a714917cc341b8f

Rhadamanthys

1d80b8ed824382630f9b336695f0c03670894b9a107951c74ccc5f287a3e37c6

Rhadamanthys

309f4640fc51834ff7521ca752715c23ec8f7859c78cedb849538bf29c9fb45d

Rhadamanthys

320bf1b89342b15959fb29c944089d8d6e3c23108cdced1c912b0ea639000ba7

Rhadamanthys

7aadc76471387981789a8aa1d2c34ed48b79f84febe3160feea5f32c4aaaceb7

Rhadamanthys

7d16edee6fbccf5bcb73691b8f69113f3e80c804d66b49e71be48ef21eea30b5

Rhadamanthys

91ae44bd5a35834354cc69c2e04f9260cbf7025d18ec59af558f4213b81d7403

Rhadamanthys

+ 203 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230224-qwth2sbe23/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Accesses Microsoft Outlook profiles

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

MD5 hash:

27e018559bc0216c98fb188d3a3a8209

SHA1 hash:

d0b477cf1d81182a2c0357432bd6b3e7a2bc43d4

Link:

https://www.unpac.me/results/045f368b-366a-4ca4-a0b2-44470ff07640/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/563458d0d35d/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2549931/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/369459/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample