MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
SHA3-384 hash: 60b5f4670f56893ae2f3212ea3dc308531bd2733ec41e0432024da19e500e9ce7281a82d4e4dd54018f422b87dd65b00
SHA1 hash: 23269d6db8186872f6d31e6f50daaffdd43c28a3
MD5 hash: be8cdde4842fd762856c98114130651e
humanhash: vermont-saturn-sweet-diet
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'799'359 bytes
First seen:2023-12-31 20:58:41 UTC
Last seen:2023-12-31 23:49:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c9e69a467fe3fbd2ec5e5d1eec0d6e25 (1 x Rhadamanthys)
ssdeep 24576:09Qv76UpurjnWc0641KTW1qoVmv/cGrZiH/K1+oeZZt0HnZYRUN:HDpMWj51sWPGcGrYH/K1neZZGHqi
TLSH T1B8850102B3F71474F8F71A34987541601E22BDA8B8F1D87E1DB1E54E28B4A929D72B37
TrID 68.2% (.EXE) UPX compressed Win32 Executable (27066/9/6)
11.3% (.EXE) Win32 Executable (generic) (4505/5/1)
5.2% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.1% (.EXE) OS/2 Executable (generic) (2029/13)
5.0% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):PE icon
dhash icon e8cc9c9cdc8c9cd4 (1 x Rhadamanthys, 1 x LummaStealer)
Reporter andretavare5
Tags:exe Rhadamanthys


Avatar
andretavare5
Sample downloaded from http://45.15.156.2/HomepageReverse.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
368
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BScope.TrojanRansom.Blocker.5704.31128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a file in the %temp% subdirectories
Launching cmd.exe command interpreter
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Running batch commands
Creating a process from a recently created file
DNS request
Сreating synchronization primitives
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control keylogger lolbin overlay packed packed upx
Link:
https://www.filescan.io/uploads/6591d617b855eb3693079d3c/reports/d3c7157e-1a1a-45f5-b5ed-4d5c7ffce817/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/cd070706-0e78-41b5-b494-da725087aa77
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1368425
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Contains functionality to modify clipboard data
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368425 Sample: file.exe Startdate: 31/12/2023 Architecture: WINDOWS Score: 100 56 hUbDLxwHbtXNnaaxVEnnFg.hUbDLxwHbtXNnaaxVEnnFg 2->56 66 Snort IDS alert for network traffic 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected RHADAMANTHYS Stealer 2->70 72 2 other signatures 2->72 13 file.exe 11 2->13         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\Temp\...\Democrat, PE32 13->52 dropped 16 cmd.exe 1 13->16         started        19 conhost.exe 13->19         started        process6 signatures7 60 Uses ping.exe to sleep 16->60 62 Drops PE files with a suspicious file extension 16->62 64 Uses ping.exe to check the status of other devices and networks 16->64 21 cmd.exe 1 16->21         started        24 conhost.exe 16->24         started        process8 signatures9 74 Uses ping.exe to sleep 21->74 26 Receptors.pif 1 21->26         started        29 cmd.exe 2 21->29         started        32 cmd.exe 2 21->32         started        34 6 other processes 21->34 process10 file11 78 Found API chain indicative of sandbox detection 26->78 80 Contains functionality to modify clipboard data 26->80 36 dialer.exe 26->36         started        40 WerFault.exe 2 26->40         started        54 C:\Users\user\AppData\Local\...\Receptors.pif, PE32 29->54 dropped signatures12 process13 dnsIp14 58 91.92.240.171, 2469, 49739, 49740 THEZONEBG Bulgaria 36->58 76 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->76 42 OpenWith.exe 36->42         started        signatures15 process16 signatures17 82 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 42->82 84 Tries to steal Mail credentials (via file / registry access) 42->84 86 Tries to harvest and steal browser information (history, passwords, etc) 42->86 88 Tries to harvest and steal Bitcoin Wallet information 42->88 45 setup_wm.exe 42->45         started        48 AppLaunch.exe 1 42->48         started        process18 signatures19 90 Writes to foreign memory regions 45->90 92 Allocates memory in foreign processes 45->92 50 dllhost.exe 45->50         started        process20
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-31 20:59:10 UTC
File Type:
PE (Exe)
Extracted files:
133
AV detection:
12 of 22 (54.55%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lskgxrivsvifukpllulo2qik54c4rme2dn65zcrgda222k4tlj3q._file
Verdict:
suspicious
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer upx
Link:
https://tria.ge/reports/231231-zsp6wsgec8/
Behaviour
Enumerates processes with tasklist
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Program crash
Executes dropped EXE
Loads dropped DLL
UPX packed file
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
158023db9d709153c524dc3eaa44d69da54b1aee522feb93b1773c5b9cfdf2af
MD5 hash:
c7440c1aaaee0cf6cf46d8e07f8bfa81
SHA1 hash:
873d2d7354ed4ea5af8511a5c386ef4c58711cdd
Link:
https://www.unpac.me/results/6f84502a-a004-4541-9202-3dfa04af6b40/
SH256 hash:
3897e076e73699213c661c5f417f3d09c2e6be5ce58086b89a17b9aa4c776ebf
MD5 hash:
51fdbc49c705676e7baf0ed09c6c6deb
SHA1 hash:
b8b06e81793c53a7293160ec936bbbcf690fce0f
Detections:
AutoIT_Compiled
Create hunting rule
Link:
https://www.unpac.me/results/6f84502a-a004-4541-9202-3dfa04af6b40/
SH256 hash:
5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77
MD5 hash:
be8cdde4842fd762856c98114130651e
SHA1 hash:
23269d6db8186872f6d31e6f50daaffdd43c28a3
Link:
https://www.unpac.me/results/6f84502a-a004-4541-9202-3dfa04af6b40/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c946bc51595/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c946bc51595505a29eb5d16ed410aef05c8b09a1b7ddc8a261835ad2b935a77

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser
Create hunting rule
Author:malware-lu
Rule name:UPXv20MarkusLaszloReiser
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2745573/

Comments