MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA 7 File information Comments

SHA256 hash:	67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca
SHA3-384 hash:	8fd6c937a64b8ba9a56e64fa55528e61902053d5866b7f21a033ba9e7c2727588f79432f9a72096616a4f665080b3b1e
SHA1 hash:	ae5960984c28a2b09580049817eeafd9ab27d317
MD5 hash:	bc67b4fcccdeb3e8da3a07635d53dc9e
humanhash:	william-diet-twelve-enemy
File name:	bc67b4fcccdeb3e8da3a07635d53dc9e.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	509'952 bytes
First seen:	2023-08-13 07:51:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c86d6a34baf2a5c1b8ca9dd9a8da7d3c (2 x Smoke Loader, 2 x Rhadamanthys, 1 x RedLineStealer)
ssdeep	6144:5vWfLDSigwNerReit4dWjYYCDrnoO+D6t0m81TbVgV2gmHW/5jAyWw4RX6:5enSigwA0iCfH+Ot9OfCV2HWRjjWB
Threatray	20 similar samples on MalwareBazaar
TLSH	T107B4E11762B1EC31D52AFA719F2EC6E8727EF5204E59666772185F2F28701B2DA73300
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	080001090c583000 (1 x Rhadamanthys)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

275

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

bc67b4fcccdeb3e8da3a07635d53dc9e.exe

Verdict:

No threats detected

Analysis date:

2023-08-13 07:53:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/cee77f9d-eb4f-4cf3-8b36-aab4c0edc515

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/442449/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Clean

Maliciousness:

Behaviour

Searching for the window

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/102730/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

86%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/64d88ba24154db2bd52a6608/reports/f00ad295-1e58-4120-ae92-da05a2fda039/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/952a2742-d47e-40a9-b9a5-a90b2797f070

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1290611

Signature

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-08-13 07:52:05 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m7ftdgcgsv6v47xd6q7ha5ogu76uuutv3cprgjv4axbssw5kk7fa._file

Verdict:

malicious

Rhadamanthys

4eb94831dc8c5d208a185b7f83469113379a05db96af352e5c0de634611050dd

Rhadamanthys

62600a3d570dd2096f9eb8bb18b7d4b4844e9c603182529dadad8831f8a067a7

Rhadamanthys

7de67b4ae3475e1243c80ba446a8502ce25fec327288d81a28be69706b4d9d81

Rhadamanthys

a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199

Rhadamanthys

a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad

Rhadamanthys

b45536b641815e8e230c3519ee7b9dcb4bf186ed2f4dc73b4be00066550731aa

Rhadamanthys

b76d7c7450892b61891be2cbcfdb364e7b6f3c39a30ea1a3727d57b5683cd237

Rhadamanthys

f58ee9d6f276f787dac4f227f31ea0aa0d28dabba7a686ab77e2380b44cea4f9

Rhadamanthys

+ 10 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/230813-jqdr3sbg8v/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

998b06d6f006af0c9c96bf446eab96300b1d9130d5a891c6b22aeaa314d31747

MD5 hash:

76d6f33f858a80073ec383d159127018

SHA1 hash:

360b480b8519c187f0732f9d3a5ac129801ff23c

Detections:

RhadamanthysLoader

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/dd114d38-b7bc-40cf-b7a0-84df07648fb8/

Parent samples :

f58ee9d6f276f787dac4f227f31ea0aa0d28dabba7a686ab77e2380b44cea4f9
8d06df702224e7dc86ff07ed2df76b460e07501cc8596b765b15c7b719275a3d
67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca
0043ce08603751d94a911c887c9fbd583a0914542daec18a75f2055588974d68
9a86c400c754a8a5d191bc77855f398dae45defb82c8821542b7ccd49370a179
b71880c437249e1aae73ab4f9a2377e435ce8e13b8ca2ada12c2019428c50cc0

SH256 hash:

67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca

MD5 hash:

bc67b4fcccdeb3e8da3a07635d53dc9e

SHA1 hash:

ae5960984c28a2b09580049817eeafd9ab27d317

Link:

https://www.unpac.me/results/dd114d38-b7bc-40cf-b7a0-84df07648fb8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/67cb319846957d5e7ee3f43e7075c6a7fd4a5275d89f1326bc05c3295baa57ca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	win_bruteratel_syscall_hashes_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.