MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf
SHA3-384 hash: 7eb5c4ecfbc9d2c47a8e10f55f51f102dfda623c7e659547a9420266e530b9dd4931961ede68c4b6e4ef0e9a3d093459
SHA1 hash: 3062e6dab48c12c1b66c63813f20a0fc86c79966
MD5 hash: 2ee4b1df29fe85c016c84d5855b0ec9f
humanhash: hawaii-violet-yankee-item
File name:2ee4b1df29fe85c016c84d5855b0ec9f.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'040'384 bytes
First seen:2023-07-17 09:28:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1bc1c4b914e9ea42a3ab5d27158f0056 (1 x Rhadamanthys)
ssdeep 12288:aExUboCrf3E1zPXkbaEGJmtNjVu2q8OqdCB5GDdSUHrCAZWgAYhaoa6Wn4jfHh1:a3skbXG+NlOqFeA/BO6W4jp
Threatray 512 similar samples on MalwareBazaar
TLSH T19A259D52399B85B6DAE120BD06DC652C084DFFF0036290DB65ADCADEC2207F51E36ED6
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
305
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2ee4b1df29fe85c016c84d5855b0ec9f.exe
Verdict:
Malicious activity
Analysis date:
2023-07-17 09:30:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/49dd3fff-30ab-440d-9f71-3d8d39173293

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/422169/
Detection(s):
SecuriteInfo.com.Trojan.Heur.@GW@I9114hei.22881.9276.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control greyware lolbin
Link:
https://www.filescan.io/uploads/64b509e48ca71f19e088c6e9/reports/4d8f2855-d9d6-4d8b-bb2e-262ac40907fa/overview
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1cd9dc2d-b739-4611-8dd0-45618e05b75a
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1274309
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf/
Threat name:
Win32.Trojan.Phoenix
Create hunting rule
Status:
Malicious
First seen:
2023-07-17 06:16:06 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
20 of 37 (54.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nbxz3drjxih5hzbil3gs7blrnpvfxzwdwzlrzfk4t5xksj2nzhhq._file
Verdict:
malicious
Similar samples:
01c7c28d8fcbded6bb906af11b34e65e19a71bc433fa3c8b5e615130f78028d5
Rhadamanthys
098c9f426ab6d50a39469ef17adcf10e50b5e91ff9a7594478354098909970df
Rhadamanthys
09ab57049567b5c2e403f0901b5a9bcc7eab0ea6ae466c315695474c951d590f
Rhadamanthys
114210ddeecbf5dd4320338e5a3c5a156841ae1390732a2b71e324f161e32932
Rhadamanthys
23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020
Rhadamanthys
547c18da09aa11143e35bbb978f5b166a3f0c71fb3d283b81a6ba4ddc4438605
Rhadamanthys
63d564ee18cc7272f401612a4aa845c2f1be023f83cb1d851ff8f2986082927b
Rhadamanthys
81c68d49323f4cc3f1ad6b3634b9a3d0891daed3822c077a3b1a4a6b0b050551
Rhadamanthys
8a049d96c7cb3586360c4936c28a543f8625ac00870a5887478eef8f2a169549
Rhadamanthys
ae0087b0e2f4292c64c5232368e562c30da4db998734b9b3dd5e27f456741f9c
Rhadamanthys
+ 502 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys collection stealer
Link:
https://tria.ge/reports/230717-lfw7sabg6z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
83e606c99433102122e92131d775482628e26c739f88a399561783bcc3a8b82e
MD5 hash:
b14ba7eb5ce25451c2fbd47e09b65e6e
SHA1 hash:
41bdafa5f1a526ba72003831d72d5f9860001c39
Detections:
BruteRatel
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/4252943d-f16d-4621-9702-0bf9daf12787/
SH256 hash:
686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf
MD5 hash:
2ee4b1df29fe85c016c84d5855b0ec9f
SHA1 hash:
3062e6dab48c12c1b66c63813f20a0fc86c79966
Link:
https://www.unpac.me/results/4252943d-f16d-4621-9702-0bf9daf12787/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/686f9d8e29ba/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2684385/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/422169/

Comments