MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6
SHA3-384 hash: 83d192cd11c94154348b737e12ec4276084abd657f740c21ceca7c106d07fcd797b654758d0afc740d363841a0b0c986
SHA1 hash: a16c3b58b47d6adb4fd1ea3df65cdf81d0470688
MD5 hash: fa10fa3a71059cdc50ce89b53c2df731
humanhash: november-uranus-december-delta
File name:DHL Original Documents.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'676'432 bytes
First seen:2023-02-07 17:12:39 UTC
Last seen:2023-02-07 18:39:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61ad665502ca1c66fbbbb4bc3ca6cb32 (1 x Rhadamanthys, 1 x AgentTesla)
ssdeep 24576:8Hx7en6674l9yg6t4KYMtT98FfjO2nnLGxgb0dttuHJYlyPhdiIWuq:SXNl9jYYLO2nnLGx0OncmlWhdYuq
TLSH T18C757B835A99A357C3E6C6F3591301F07EB17999F94EC08313BA5E3D2C956830AB271E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4d2d0c9d8d8c8f9 (3 x AgentTesla, 2 x Formbook, 2 x Rhadamanthys)
Reporter abuse_ch
Tags:DHL exe Rhadamanthys signed

Code Signing Certificate

Organisation:www.flex.com
Issuer:Sectigo RSA Organization Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-28T00:00:00Z
Valid to:2023-12-28T23:59:59Z
Serial number: 059020b5e96269dfb89537306a6a73fe
Intelligence: 7 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 3da821861ba3884014702f2405aa5ef9d811f821a2a5e8f57c0b473239db9d90
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Original Documents.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 17:25:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/91af8b56-ce73-4573-9349-2b7e63bcfa98

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361502/
Detection(s):
SecuriteInfo.com.Variant.Zusy.448838.29806.23620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66162/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
80%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e286a3416d38777a7ab57c/reports/c934c25a-48c8-4275-9a49-58c2a3cab614/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/24587591-1158-4ba0-bbdd-831316d95576
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167968
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Hijacks the control flow in another process
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Protects its processes via BreakOnTermination flag
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 800748 Sample: DHL Original Documents.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 107 chdgm5j5rldzm5zpuof.jwsavx346fgsi 2->107 109 transfer.sh 2->109 111 4 other IPs or domains 2->111 139 Multi AV Scanner detection for domain / URL 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 Antivirus detection for URL or domain 2->143 145 17 other signatures 2->145 12 Tibiwo.exe 8 2->12         started        16 DHL Original Documents.exe 10 2->16         started        18 svchost.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 file5 93 C:\Users\user\AppData\Local\...\4337062.dll, PE32 12->93 dropped 191 Writes to foreign memory regions 12->191 193 Allocates memory in foreign processes 12->193 195 Injects a PE file into a foreign processes 12->195 22 fontview.exe 12->22         started        25 ngentask.exe 15 2 12->25         started        95 C:\Users\user\...\Tibiwo.exe, PE32 16->95 dropped 97 C:\Users\user\...\Tibiwo.exe:Zone.Identifier, ASCII 16->97 dropped 197 Self deletion via cmd or bat file 16->197 28 Tibiwo.exe 9 16->28         started        31 cmd.exe 1 16->31         started        33 schtasks.exe 1 16->33         started        35 dllhost.exe 16->35         started        37 WerFault.exe 18->37         started        39 WerFault.exe 18->39         started        signatures6 process7 dnsIp8 147 Query firmware table information (likely to detect VMs) 22->147 149 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->149 151 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->151 165 4 other signatures 22->165 41 dllhost.exe 22->41         started        115 api4.ipify.org 104.237.62.211, 443, 49833, 49834 WEBNXUS United States 25->115 153 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->153 155 Tries to steal Mail credentials (via file / registry access) 25->155 99 C:\Users\user\AppData\Local\...\4338968.dll, PE32 28->99 dropped 157 Writes to foreign memory regions 28->157 159 Allocates memory in foreign processes 28->159 161 Injects a PE file into a foreign processes 28->161 44 ngentask.exe 2 28->44         started        46 ngentask.exe 28->46         started        48 ngentask.exe 28->48         started        59 3 other processes 28->59 163 Uses ping.exe to check the status of other devices and networks 31->163 50 PING.EXE 1 31->50         started        53 conhost.exe 31->53         started        55 chcp.com 1 31->55         started        57 conhost.exe 33->57         started        file9 signatures10 process11 dnsIp12 175 Early bird code injection technique detected 41->175 177 Tries to harvest and steal browser information (history, passwords, etc) 41->177 179 Maps a DLL or memory area into another process 41->179 181 Queues an APC in another process (thread injection) 41->181 61 dllhost.exe 41->61         started        183 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->183 185 Tries to steal Mail credentials (via file / registry access) 44->185 187 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 46->187 189 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 46->189 113 127.0.0.1 unknown unknown 50->113 signatures13 process14 dnsIp15 117 transfer.sh 144.76.136.153, 443, 49843, 49847 HETZNER-ASDE Germany 61->117 101 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 61->101 dropped 103 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 61->103 dropped 65 Data.exe 61->65         started        69 Library.exe 61->69         started        file16 process17 file18 89 C:\Users\user\AppData\...\UpdateSVC.exe, PE32+ 65->89 dropped 121 Antivirus detection for dropped file 65->121 123 Creates an undocumented autostart registry key 65->123 125 Hijacks the control flow in another process 65->125 133 3 other signatures 65->133 71 InstallUtil.exe 65->71         started        74 powershell.exe 65->74         started        91 C:\Users\user\AppData\Roaming\...\WShell.exe, PE32+ 69->91 dropped 127 Machine Learning detection for dropped file 69->127 129 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 69->129 131 Encrypted powershell cmdline option found 69->131 76 powershell.exe 69->76         started        78 MSBuild.exe 69->78         started        signatures19 process20 dnsIp21 167 Protects its processes via BreakOnTermination flag 71->167 169 Writes to foreign memory regions 71->169 171 Allocates memory in foreign processes 71->171 173 2 other signatures 71->173 81 SMSvcHost.exe 71->81         started        85 conhost.exe 74->85         started        87 conhost.exe 76->87         started        119 45.159.189.105, 49853, 49863, 80 HOSTING-SOLUTIONSUS Netherlands 78->119 signatures22 process23 dnsIp24 105 pool-fr.supportxmr.com 141.94.96.144, 49855, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 81->105 135 Query firmware table information (likely to detect VMs) 81->135 signatures25 137 Detected Stratum mining protocol 105->137
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-02-07 16:28:20 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 37 (45.95%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nj5pxd37fjt4tdgxlutr7kilortk3t6ymajpyyxirvptixmegpla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:rhadamanthys collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-vrexbach33/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
AgentTesla
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f90a296b0f76d061b3a02746854b3aa06ec6dcf93639f1b63f7402112288f04e
MD5 hash:
64581a3863009004184f28f0ce6462f7
SHA1 hash:
682ad98f73e9dd3a22bbb75c42bdb62a8df89136
Link:
https://www.unpac.me/results/7cf007a2-9b53-4528-b515-00a7344300cf/
SH256 hash:
6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6
MD5 hash:
fa10fa3a71059cdc50ce89b53c2df731
SHA1 hash:
a16c3b58b47d6adb4fd1ea3df65cdf81d0470688
Link:
https://www.unpac.me/results/7cf007a2-9b53-4528-b515-00a7344300cf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Rhadamanthys

Executable exe 6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361502/

Comments