MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13
SHA3-384 hash: 62c4e181a6dd29fd30f654dfd5948753840160521024e6c9cb3e382356a5bafd8259ca94ccb0781ae0d48f88c798a581
SHA1 hash: b5453363acac6da97de5a8997a7483deb9f1beb2
MD5 hash: fbc04c52eb18b7db7206ef8cd0bbc1ab
humanhash: papa-montana-two-alanine
File name:fbc04c52eb18b7db7206ef8cd0bbc1ab
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'010'688 bytes
First seen:2023-08-10 02:31:14 UTC
Last seen:2023-08-21 02:28:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 283efa8b8b510b11551f297f9dcd33d1 (1 x Rhadamanthys)
ssdeep 12288:T0QZ/qYtu5LNSC5/lfiIDnqNlSuFZrtzm+Rbak+lAitGbNf4R0j2OJkZC5wqaMEa:wQzwRfiSniRLa5ahJQRIzJCywqaXdyl
Threatray 312 similar samples on MalwareBazaar
TLSH T18D259D217980C265CBF624FAB2EFB461126DB1B4373C19F362D846DAC5248C1953EFDA
TrID 56.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
11.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.1% (.EXE) Win32 Executable (generic) (4505/5/1)
3.7% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter zbetcheckin
Tags:32 exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
327
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fbc04c52eb18b7db7206ef8cd0bbc1ab
Verdict:
Malicious activity
Analysis date:
2023-08-10 02:31:34 UTC
Tags:
rhadamanthys stealer
Link:
https://app.any.run/tasks/7a1ffb39-3676-4f71-be42-c3a0413bcc3a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441843/
Detection(s):
SecuriteInfo.com.Trojan.Siggen20.65206.30421.3544.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Launching a process
Searching for synchronization primitives
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Searching for the window
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102399/overview
Behaviour
MalwareBazaar
MeasuringTime
CheckCmdLine
EvasionQueryPerformanceCounter
Gathering data
Verdict:
Malicious
Labled as:
Trojan.Heur.Generic
Link:
https://www.hybrid-analysis.com/sample/6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Sysinternals
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/3ba5f09b-9b61-428b-8bbe-4ff2213f324a
Result
Threat name:
LockBit ransomware, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1289097
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Creates processes via WMI
Drops PE files to the startup folder
Found malware configuration
Found ransom note / readme
Hides threads from debuggers
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes many files with high entropy
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected LockBit ransomware
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1289097 Sample: 7UtrFvbnBz.exe Startdate: 10/08/2023 Architecture: WINDOWS Score: 100 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 8 other signatures 2->66 8 x1}.exe 2->8         started        12 7UtrFvbnBz.exe 2 2->12         started        14 Update.exe 2 2->14         started        16 5 other processes 2->16 process3 dnsIp4 38 C:\Users\user\...\DQOFHVHTMG.jpg.lAeSUZDqb, COM 8->38 dropped 40 {7C5A40EF-A0FB-4BF...bsite_url.lAeSUZDqb, COM 8->40 dropped 42 C:\Users\user\...\ReaderMessages.lAeSUZDqb, DOS 8->42 dropped 48 42 other malicious files 8->48 dropped 68 Hides threads from debuggers 8->68 70 Modifies existing user documents (likely ransomware behavior) 8->70 44 C:\Users\user\AppData\Roaming\...\Update.exe, PE32 12->44 dropped 72 Drops PE files to the startup folder 12->72 74 Contains functionality to inject code into remote processes 12->74 76 Writes to foreign memory regions 12->76 19 AppLaunch.exe 1 12->19         started        22 WerFault.exe 24 9 12->22         started        78 Allocates memory in foreign processes 14->78 80 Injects a PE file into a foreign processes 14->80 24 AppLaunch.exe 14->24         started        26 WerFault.exe 10 14->26         started        56 api.telegram.org 149.154.167.220 TELEGRAMRU United Kingdom 16->56 46 C:\Users\user\...\DBFDVCBGFVDBGFBG.exe (copy), PE32+ 16->46 dropped 82 Multi AV Scanner detection for dropped file 16->82 84 Writes many files with high entropy 16->84 file5 signatures6 process7 dnsIp8 58 45.81.39.169, 49706, 49711, 49712 LVLT-10753US United States 19->58 28 certreq.exe 4 19->28         started        32 certreq.exe 1 24->32         started        process9 file10 50 C:\Users\user\AppData\Local\...\}PGDX_}.exe, PE32+ 28->50 dropped 52 C:\Users\user\AppData\Local\...\x1}.exe, PE32 28->52 dropped 54 C:\Users\user\AppData\Local\...\`-O)by.exe, PE32+ 28->54 dropped 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 28->86 88 Tries to steal Mail credentials (via file / registry access) 28->88 90 Tries to harvest and steal browser information (history, passwords, etc) 28->90 92 2 other signatures 28->92 34 conhost.exe 28->34         started        36 conhost.exe 32->36         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-09 23:16:17 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 38 (55.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmcjjpxrwzc6z6kx7hzlqhb2vgc2t25k6knc5t5u3cxkai74vqjq._file
Verdict:
malicious
Similar samples:
0af3aa9e62ae449301ef9b3d9965d45775c13b2fc7a662795d39585d5c0fa908
Rhadamanthys
0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
Rhadamanthys
0f0760eb43d1a3ed16b4842b25674e4d6d1239766243bac1d4c19341bb37d5b8
Rhadamanthys
0f13412e34d79c5c24595dbf76c44ded557d8bf22bc420802e7843cc84ef7ded
Rhadamanthys
37e0b7e14eaeeb2205c87261982e272eaa6dd4b95fdd2edc7b2a5b9d29b64a09
Rhadamanthys
59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c
Rhadamanthys
81c68d49323f4cc3f1ad6b3634b9a3d0891daed3822c077a3b1a4a6b0b050551
Rhadamanthys
bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910
Rhadamanthys
bcc6c5ebaa7ede4e4485cc0a1884e6e12923e4c7aca85283b2a546c2b8034055
Rhadamanthys
+ 302 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:lockbit family:rhadamanthys evasion persistence ransomware spyware stealer
Link:
https://tria.ge/reports/230810-c1ad3shb29/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Launches sc.exe
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops desktop.ini file(s)
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Stops running service(s)
Renames multiple (148) files with added filename extension
Renames multiple (297) files with added filename extension
Detect rhadamanthys stealer shellcode
Lockbit
Rhadamanthys
Rule to detect Lockbit 3.0 ransomware Windows payload
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
66213cc837c63f3e2d17f55cb7ddadeba9f792d07c7a77d80e352b6e877e47c9
MD5 hash:
5b2baf8c6b6bf30d089c80ed1cf1d294
SHA1 hash:
6ef6e3451951de077f9dbdff5821cbe2c12fd56b
Detections:
RhadamanthysLoader
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/42564bd2-673c-48bc-b566-872195679340/
SH256 hash:
6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13
MD5 hash:
fbc04c52eb18b7db7206ef8cd0bbc1ab
SHA1 hash:
b5453363acac6da97de5a8997a7483deb9f1beb2
Link:
https://www.unpac.me/results/42564bd2-673c-48bc-b566-872195679340/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6b0494bef1b6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 6b0494bef1b645ecf957f9f2b81c3aa985a9ebaaf29a2ecfb4d8aea023fcac13

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2703495/
Cape
Cape
https://www.capesandbox.com/analysis/441843/

Comments


Avatar
zbet commented on 2023-08-10 02:31:15 UTC

url : hxxp://5.255.107.172/forum/images/159.exe