MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b
SHA3-384 hash: 599dea73ce7af358fe2d0b582622b4bb253c76ddca061581130fab8e4c4f6de451aaae9414dcea7b994605be15dc3b7f
SHA1 hash: 378e489d27a9c883ff8fa5b0c64137156297ea2d
MD5 hash: a384fa95196f94e14b4ec5bba3effd42
humanhash: cola-green-king-william
File name:failure.hta
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:73'601 bytes
First seen:2024-03-18 13:32:58 UTC
Last seen:2024-03-18 14:09:00 UTC
File type:HTML Application (hta) hta
MIME type:application/octet-stream
ssdeep 1536:7gag8sEWUJrTK4vvVOEq6Aneq6nu+P3/h/b6JgvpktDti5Oz:I8sEWUJrTK4vvVOEq6Aneq6nu+P3/h/8
TLSH T1597347166E470E44D94C01B92E8E6BF0B5595EA435CB7DBE20DF7422DAF0C9A8D84ECC
Reporter rmceoin
Tags:hta


Avatar
rmceoin
LNK -> HTA -> EXE
82.115.223.234/Downloads/web3Interface.lnk
lastmodified: Tue, 12 Mar 2024 21:32:57 GMT
325e69a3da53c1afdf6fd56ea9e1ffc274415162fecdbd1f96deeace890a90ef
machine_identifier: win-2513okbpoh9
BlackCat (ALPHV)
->
82.115.223.234/Downloads/failure.hta
lastmodified: Mon, 11 Mar 2024 21:26:05 GMT
57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b
->
82.115.223.234/Downloads/FailureFlooring.exe
lastmodified: Mon, 11 Mar 2024 20:16:04 GMT
459a487f878041e1c2968d416ebe4fcf021a754c5538f979999294c998902a77
Rhadamanthys stealer

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin masquerade shell32
Link:
https://www.filescan.io/uploads/65f842965cd908a33db814f1/reports/c0c6af57-62da-4574-8400-8ff3eaf6ce0d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b
Result
Verdict:
MALICIOUS
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1411462
Signature
Antivirus detection for URL or domain
Found suspicious powershell code related to unpacking or dynamic code loading
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Suspicious powershell command line found
Very long command line found
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1411462 Sample: failure.hta Startdate: 19/03/2024 Architecture: WINDOWS Score: 100 23 Multi AV Scanner detection for domain / URL 2->23 25 Malicious sample detected (through community Yara rule) 2->25 27 Antivirus detection for URL or domain 2->27 29 5 other signatures 2->29 8 mshta.exe 1 2->8         started        process3 signatures4 31 Suspicious powershell command line found 8->31 33 Very long command line found 8->33 11 powershell.exe 19 8->11         started        process5 signatures6 35 Found suspicious powershell code related to unpacking or dynamic code loading 11->35 14 powershell.exe 15 25 11->14         started        17 conhost.exe 11->17         started        process7 dnsIp8 21 82.115.223.234, 49709, 80 MIDNET-ASTK-TelecomRU Russian Federation 14->21 19 WmiPrvSE.exe 14->19         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k62rtz2ns4tmrusftpvgrtuntmipcnuj6n7ulzn6gainh4vz3avq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Quakbot

Shortcut (lnk) lnk 325e69a3da53c1afdf6fd56ea9e1ffc274415162fecdbd1f96deeace890a90ef

Rhadamanthys

HTML Application (hta) hta 57b519e74d9726c8d2459bea68ce8d9b10f13689f37f45e5be3010d3f2b9d82b

(this sample)

Rhadamanthys

Executable exe 459a487f878041e1c2968d416ebe4fcf021a754c5538f979999294c998902a77

  
Dropped by
SHA256 325e69a3da53c1afdf6fd56ea9e1ffc274415162fecdbd1f96deeace890a90ef
  
Dropping
SHA256 459a487f878041e1c2968d416ebe4fcf021a754c5538f979999294c998902a77
  
Dropping
MD5 b5f0ed87c2bf4b9c7581dbbf3378391f
  
Dropped by
MD5 93e23d5018b32f09f808f8b17616628a

Comments