MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208
SHA3-384 hash: 81ab5abbe9f7d582f5ae40f904b01413fdc61c844e8ab561b3299e50a202da625b052802a166ef734dcc4a7b88f7e0a0
SHA1 hash: 628c39659193e1026864295db18b1049bc904c76
MD5 hash: 5be6145c6351bc7f52ea7ebdf01cbc8f
humanhash: failed-yankee-cardinal-red
File name:5be6145c6351bc7f52ea7ebdf01cbc8f.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'981'888 bytes
First seen:2024-12-04 13:39:32 UTC
Last seen:2024-12-04 16:21:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6cd1955b3508e1b7bae36e00ef841662 (12 x Rhadamanthys, 1 x AsyncRAT)
ssdeep 49152:SVHFXSzmqiDqCbm1gickVsPTwuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuTuuuuD:SVHFXSzmqsegfkVsMuuuuuuuuuuuuuuo
Threatray 14 similar samples on MalwareBazaar
TLSH T138D5AE41F28181B1DD5276B05273D6B54572AEF8A73A80CF61D63F1B3B722E25A33386
TrID 62.2% (.EXE) InstallShield setup (43053/19/16)
15.2% (.EXE) Win64 Executable (generic) (10522/11/4)
7.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter abuse_ch
Tags:104-37-175-232 Compilazioneprotetticopyright exe Rhadamanthys

Intelligence

File Origin
# of uploads :
4
# of downloads :
389
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://t.ly/l-Altius212
Verdict:
Malicious activity
Analysis date:
2024-12-02 15:02:30 UTC
Tags:
loader rhadamanthys stealer
Link:
https://app.any.run/tasks/04488285-611b-4455-8029-199f7ea9959a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67505ccebc8c6beb30759f4f
Tags:
shellcode virus gates
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
evasive fingerprint microsoft_visual_cc packed packed packer_detected rat
Link:
https://www.filescan.io/uploads/67505bbd44b67042f0d3db09/reports/4c7c4ec2-ac01-406b-b490-fa1bc3a8e3c9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f55f2cd5-64ef-4060-8af4-d9207dddec01
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1568321
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops large PE files
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
33%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-12-03 18:41:31 UTC
File Type:
PE (Exe)
Extracted files:
128
AV detection:
18 of 38 (47.37%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l6x7x7ezhs625n5v5d27sx2vcdbuazt62xnp6s3prdi232erkiea._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
4a35f8134f64ad28c5fe261d7cf15256ecd758566c2ddbf4bd962925502ade41
Rhadamanthys
5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208
Rhadamanthys
70eec079b5317455429f24c081b6cf29c0f04d5708c4c2b767b76172643be57e
Rhadamanthys
a9ce2c8a98a02f9f90bb4b649a34a5decc294c60f66c2365cd06d4f787343472
Rhadamanthys
c3427b813ad0c2e6563b844e6fc080a7f18ca62880e7f2119adaad4e278b1285
Rhadamanthys
d0f631f6269c14fe7622f4a1085f99e6bfd235942ce57715914ee4a319484a55
Rhadamanthys
e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e
Rhadamanthys
error
Rhadamanthys
+ 4 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/241204-qyjrmaxjft/
Behaviour
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Adds Run key to start application
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f45f8e65-9180-4b57-8361-90b44175d6ad
Unpacked files
SH256 hash:
37e9cafb65e2329b0b7ec6b0b8901e671307098ab16c31b8772474ea0494e6f7
MD5 hash:
36c70f7e65f4d1c21b65045d1f5093dd
SHA1 hash:
13f11db0063991ec97a1094badfbfdc3f6e45b06
Link:
https://www.unpac.me/results/68f33a0d-cca1-44c9-8c0f-7da8c944206d/
SH256 hash:
5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208
MD5 hash:
5be6145c6351bc7f52ea7ebdf01cbc8f
SHA1 hash:
628c39659193e1026864295db18b1049bc904c76
Link:
https://www.unpac.me/results/68f33a0d-cca1-44c9-8c0f-7da8c944206d/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5faffbfc993c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:RansomPyShield_Antiransomware
Create hunting rule
Author:XiAnzheng
Description:Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 5faffbfc993cbdaeb7b5e8f5f95f5510c340667ed5daff4b6f88d1ade8915208

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3319772/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_APICan Play MultimediaGDI32.dll::StretchDIBits
WINMM.dll::timeBeginPeriod
WINMM.dll::timeEndPeriod
WINMM.dll::timeGetDevCaps
WINMM.dll::timeGetTime
WINMM.dll::timeKillEvent
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessA
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileA
KERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryA
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileA
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingA
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertFindCertificateInStore
CRYPT32.dll::CertFreeCertificateContext
CRYPT32.dll::CertVerifySubjectCertificateContext
CRYPT32.dll::CryptGetMessageCertificates
CRYPT32.dll::CryptVerifyMessageSignature
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyA
ADVAPI32.dll::RegOpenKeyExA
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExA
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExA
ADVAPI32.dll::RegSetValueA
WIN_USER_APIPerforms GUI ActionsUSER32.dll::EmptyClipboard
USER32.dll::OpenClipboard
USER32.dll::PeekMessageA
USER32.dll::CreateWindowExA

Comments