MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1
SHA3-384 hash:	e97989acba8fd3b0f813386e2a4466665da28d4b33f013bf2339a1d3e7b78d3ef873eb5934db5e0925d1caac2ce3782c
SHA1 hash:	e66f36181a32b2691fbb7d178d587b54bd95a217
MD5 hash:	497e535c7c59bfef37e092ae8f19c985
humanhash:	rugby-finch-equal-black
File name:	497e535c7c59bfef37e092ae8f19c985.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	208'896 bytes
First seen:	2023-01-13 16:50:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e382229cbe1cfe84b080e0a3eda013fc (3 x Rhadamanthys)
ssdeep	6144:UC1N40Fnr0602TzhldWqIk6jKSxPMkPOR0:UC1VFng60OCHNMNK
Threatray	17'556 similar samples on MalwareBazaar
TLSH	T1B314F2B9207280B9DED7017B5D5846A26EF93E310764AB8F6F2CE0467EE01FD6029573
TrID	32.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 17.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 13.7% (.SCR) Windows screen saver (13097/50/3) 11.0% (.EXE) Win64 Executable (generic) (10523/12/4) 6.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

179

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-01-13 13:54:17 UTC

Tags:

trojan amadey opendir loader

Link:

https://app.any.run/tasks/910ca496-1a12-4b6f-9688-79823b40377f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/352676/

Detection(s):

SecuriteInfo.com.Trojan.GenericKD.64913274.17169.25401.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60083/overview

Behaviour

MalwareBazaar

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

67%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/63c18bf6d392ce333bdfa2b6/reports/5fd3fc0e-ccb6-4561-9022-e597062bc027/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Khalesi

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/20acc630-16f9-4d84-bda3-9582da2a3b26

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1151340

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Hides threads from debuggers

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-01-12 23:58:58 UTC

File Type:

PE (Exe)

AV detection:

20 of 26 (76.92%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=leppvqmhtqpmib45eq26evwwvrsuamoli55axknriheeu3vfd2yq._file

Verdict:

malicious

Rhadamanthys

2a99f25f4212f53d7479bfb140c572ca9f44394fbc4817743b1338cddf95a2d6

Rhadamanthys

84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f

Rhadamanthys

9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7

Rhadamanthys

b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956

Rhadamanthys

d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3

Rhadamanthys

dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c

Rhadamanthys

ef2dd208f149f8ae0741c2cf4fa5270e8d54c35e161f88aad9b109c679e211a2

Rhadamanthys

fb651d07bc1ee0b1676123399c358c9f3a276448b4938b46cfd2b9b701956913

Rhadamanthys

fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595

Rhadamanthys

+ 17'546 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230113-vcs6dsed5x/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1

MD5 hash:

497e535c7c59bfef37e092ae8f19c985

SHA1 hash:

e66f36181a32b2691fbb7d178d587b54bd95a217

Link:

https://www.unpac.me/results/ca42955b-e089-4639-b2d0-bb8b3357f58a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/591efac1879c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.05

Link:

https://yomi.yoroi.company/submissions/591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2506765/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/352676/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample