MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b
SHA3-384 hash: d494e24804b1c78a39aecd2cbbd3cf69b3d0618f90a2de33d8ff396a46dc885df2f475703cdb79448487d55db2edfda6
SHA1 hash: b624e4744916761c00b3754c40add5806d2b6780
MD5 hash: fab65e608359e725451406b55821c6ce
humanhash: uranus-tennessee-ohio-massachusetts
File name:PI-RM230608002.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:417'280 bytes
First seen:2023-07-03 05:20:16 UTC
Last seen:2023-07-03 09:11:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4aa773f91d20506f2979a40c36a81664 (8 x RedLineStealer, 2 x Amadey, 2 x Tofsee)
ssdeep 12288:lZ4LCU68TejOe8kK3/yVju++vFlvpzH6f:P4WjDj06X+vjhzaf
Threatray 390 similar samples on MalwareBazaar
TLSH T17494F113E6A07C65E5168B318E2EC2E8761EB6F18F647795321D9A9F0DB11E2D273302
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 28e8d8d8d8e8d0d8 (1 x Rhadamanthys)
Reporter lowmal3
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
3
# of downloads :
276
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PI-RM230608002.exe
Verdict:
Malicious activity
Analysis date:
2023-07-03 05:22:23 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1f34e180-1f6f-4dc1-89ab-c26bb1d9b0d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/405661/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Searching for the window
Unauthorized injection to a system process
Stealing user critical data
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/95127/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed xpack
Link:
https://www.filescan.io/uploads/64a25abe2299d268826445a3/reports/ec62cc2b-3d78-4beb-b05b-71cdaae0c60a/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1ff78d78-e4c7-4c9c-b961-adc86851be4f
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1265494
Signature
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-07-02 23:40:07 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
24 of 24 (100.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mpkwj3qyzrzhf5abmevevkcfyly34ar7qpfr3bi77dzjqyecsj5q._file
Verdict:
malicious
Similar samples:
09ab57049567b5c2e403f0901b5a9bcc7eab0ea6ae466c315695474c951d590f
Rhadamanthys
17d6811a35be911a5dbe4f70d1b8e3e79032f05f21723fa4c9fb47946988ec05
Rhadamanthys
4d394ab71802f94b89ba5d62bdb2faebc5b500acbc2a362339ba451517710441
Rhadamanthys
7f1f9c6822b0e44c2673ed10110b801b1a26d86110160f4c3d77221111eea7f6
Rhadamanthys
8d39941ae1a443b26ba2015e41ffc11346881cfe16056fec5c45814638ee64f4
Rhadamanthys
ad69386c76318673d8374d20af2069e54e1732aab4c6d5fcb111f800898e2637
Rhadamanthys
ddad7b5c4546bd2bc27d66de61d76e788e48dbcdbafc1a5a4129e61c2dcc3721
Rhadamanthys
e198601d7f6afa0ff30ae9259e16b0862226f10cee6d6a026a4b9ab1634a1d02
Rhadamanthys
f1eaa55424a52cd534e896632da09920f8dff1c442f22809eb531fd2ea027b13
Rhadamanthys
f4f213fc4f8755dc9d057266a292aa0f2d52da76499dc871235bab1413b04242
Rhadamanthys
+ 380 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys collection stealer
Link:
https://tria.ge/reports/230703-f1zwhseh23/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Deletes itself
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
6c7e44095f683d02e7f36753f7b5b025af5e37f456ab8cc22e0127f96faa785f
MD5 hash:
3ad5ee3ac29736cc9dd598f150f368e5
SHA1 hash:
fd725dbfa777d410a4089769d189a1a7c24dbc1a
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/46e24188-dd8f-4354-a13f-9e8ff9f7b8ab/
SH256 hash:
63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b
MD5 hash:
fab65e608359e725451406b55821c6ce
SHA1 hash:
b624e4744916761c00b3754c40add5806d2b6780
Link:
https://www.unpac.me/results/46e24188-dd8f-4354-a13f-9e8ff9f7b8ab/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Rhadamanthys

Executable exe 63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/405661/
  
URLhaus
https://urlhaus.abuse.ch/url/2675817/

Comments