MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 1 File information Comments

SHA256 hash:	612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15
SHA3-384 hash:	1965ac54e18174e63661bfa56e6956963b8290e10ffd79033b6d0fc9e2dfa0712bbd8596cea33cee40e95bc97a6865b2
SHA1 hash:	66deede4f00f1a76cdcb9e52c9a42b371875be38
MD5 hash:	581d545c4a3d99f4fb5b92752610e950
humanhash:	north-stream-mississippi-alpha
File name:	mars-wallet-64-1.01.12.0-8438.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	407'040 bytes
First seen:	2023-01-17 06:17:18 UTC
Last seen:	2023-01-17 07:37:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	29066daaddce37746c3cad3caf9a9d34 (1 x Rhadamanthys)
ssdeep	6144:ytN60S22Iq0NKGr8QsPgwKh10UfY2TDRK13yOz4RXvSTmE:ytN+ONKM8GwA6GJTVC3yO5N
Threatray	4'239 similar samples on MalwareBazaar
TLSH	T1FC849C3F7E80D460E46205317963D5A85D3AAF3DDA60B93B36CC362E5B31CD18B2E916
TrID	40.3% (.EXE) Win64 Executable (generic) (10523/12/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4505/5/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
File icon (PE):
dhash icon	007168c4dc786004 (1 x Rhadamanthys)
Reporter	iamdeadlyz
Tags:	116-203-136-70 176-113-115-240 colibri exe MarsWallet Rhadamanthys

Iamdeadlyz

From mars-wallet.net (fake cryptocurrency wallet)
De-pump of 58ebc8843e448bf1273e7d9f373e75ebb0f9cf37674bc6a4c79c9e7cd1e236b3
Rhadamanthys Stealer C&C: 116.203.136.70:80
Colibri Loader C&C: 176.113.115.240:80

Intelligence

File Origin

# of uploads :

# of downloads :

238

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

mars-wallet-64-1.01.12.0-8438.exe

Verdict:

Malicious activity

Analysis date:

2023-01-17 06:18:09 UTC

Tags:

trojan

Link:

https://app.any.run/tasks/43c7fd1a-254d-4e0a-b59a-20b971d51ab2

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/353662/

Detection(s):

SecuriteInfo.com.Variant.Jaik.109743.12379.32711.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/60860/overview

Behaviour

MalwareBazaar

CallSleep

MeasuringTime

CheckCmdLine

EvasionQueryPerformanceCounter

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63c63d9c8352dc7065e334c1/reports/987e0bfd-e92d-4dfc-b771-1a8f6a099622/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

AZORult

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5a67e7d6-2aa3-4f9e-b304-56a1143f58c1

Result

Threat name:

Colibri, RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1152803

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Creates processes via WMI

Found C&C like URL pattern

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected Colibri Loader

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15/

Threat name:

Win32.Trojan.Rhadamanthys

Status:

Malicious

First seen:

2023-01-17 06:18:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mesyb7v6towsyyflrlmfmsrynagpifkydrkc4xtbbhtibxc6tukq._file

Verdict:

malicious

Rhadamanthys

591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1

Rhadamanthys

84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f

Rhadamanthys

9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7

Rhadamanthys

b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956

Rhadamanthys

d3308f8b8905c046fa48a7a828b1047511709ad9c7d9b7d4e67ec94083e76c39

Rhadamanthys

d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3

Rhadamanthys

ef2dd208f149f8ae0741c2cf4fa5270e8d54c35e161f88aad9b109c679e211a2

Rhadamanthys

fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595

Rhadamanthys

+ 4'229 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:colibri family:rhadamanthys botnet:bot collection discovery loader spyware stealer

Link:

https://tria.ge/reports/230117-g2lkysfc8s/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Executes dropped EXE

Colibri Loader

Detect rhadamanthys stealer shellcode

Rhadamanthys

Malware Config

C2 Extraction:

http://176.113.115.240/gate.php

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/3d1b2c3f-6c72-4368-84d6-daefb6308041

Unpacked files

SH256 hash:

668cfc816d7fb798d6e1148d4f2b812b9996b68240b222f57ba05e8d93bf64f2

MD5 hash:

8df13d982fc2e55697e2b2c93d276b3b

SHA1 hash:

9084711a032e5e1d7865fb8d402219328180836a

Link:

https://www.unpac.me/results/e8161b91-e442-411f-a9f1-78a8fab7c226/

SH256 hash:

612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15

MD5 hash:

581d545c4a3d99f4fb5b92752610e950

SHA1 hash:

66deede4f00f1a76cdcb9e52c9a42b371875be38

Link:

https://www.unpac.me/results/e8161b91-e442-411f-a9f1-78a8fab7c226/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/612580febe9b/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/612580febe9bad2c60ab8ad8564a38680cf415581c542e5e6109e680dc5e9d15

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.