MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e
SHA3-384 hash: 2e96f38010f3df3d1bafdf7d9c60122ee902b5e36126f6b097bf2d079423cd2c2f04a4de4c4fe1fbb5affe64f357d7ee
SHA1 hash: 341509a2fe641c906cd31d8cf77ddcee8d3a1f47
MD5 hash: 9de7b350e67a0d7897475816583c8b1b
humanhash: jersey-eighteen-sixteen-eleven
File name:9de7b350e67a0d7897475816583c8b1b.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'701'304 bytes
First seen:2023-03-13 10:19:13 UTC
Last seen:2023-03-13 11:29:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 533c5409968cfac36437ac5835c4d83f (7 x Rhadamanthys, 1 x Adware.Generic)
ssdeep 49152:D+L8yFekEBPqjcde3qYDAW4DVl0PgYr7Q:kOnqjctuAW4DVEE
Threatray 269 similar samples on MalwareBazaar
TLSH T15A75F1195FB3D822EB2414722C988778988F6FF21581894AFD70FDED1D92EC04E669C7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 80c49a82c2e6aeb4 (1 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:*.deviantart.com
Issuer:Amazon RSA 2048 M02
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-20T00:00:00Z
Valid to:2023-11-24T23:59:59Z
Serial number: 0c7d77e829c56a8aa5ddaa98ef2d111f
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ba7739d75ff09c7044ccbaff048b73ff71835160a45d4f7c014283a387eb3b26
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
218
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
9de7b350e67a0d7897475816583c8b1b.exe
Verdict:
Malicious activity
Analysis date:
2023-03-13 10:20:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b6c8c6f-d16c-462d-aa66-22495f80cdf0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373970/
Detection(s):
SecuriteInfo.com.Variant.Tedy.312663.474.3092.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72931/overview
Behaviour
MalwareBazaar
SystemUptime
CPUID_Instruction
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/640ef8d69455cf9fbc75d629/reports/b4fdba31-6eb3-4642-931b-278e2dacb790/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e
Malware family:
Spectre
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/796b7c7b-7d4a-48e3-974b-34fd347b9ccd
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1192472
Signature
Allocates memory in foreign processes
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
DLL side loading technique detected
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 825370 Sample: nNVEzWgUMy.exe Startdate: 13/03/2023 Architecture: WINDOWS Score: 100 166 Snort IDS alert for network traffic 2->166 168 Multi AV Scanner detection for dropped file 2->168 170 Multi AV Scanner detection for submitted file 2->170 172 8 other signatures 2->172 11 nNVEzWgUMy.exe 10 2->11         started        16 javiw yixabohe bola bedit.exe 9 2->16         started        18 svchost.exe 2->18         started        20 9 other processes 2->20 process3 dnsIp4 140 79pmoeyqok8kdsd5apjc4cavdgyxum.f2rxansul6irfyt 11->140 124 C:\Users\...\javiw yixabohe bola bedit.exe, PE32 11->124 dropped 126 javiw yixabohe bol...exe:Zone.Identifier, ASCII 11->126 dropped 200 Self deletion via cmd or bat file 11->200 202 Uses schtasks.exe or at.exe to add and modify task schedules 11->202 22 javiw yixabohe bola bedit.exe 8 11->22         started        27 cmd.exe 1 11->27         started        29 schtasks.exe 1 11->29         started        142 79pmoeyqok8kdsd5apjc4cavdgyxum.f2rxansul6irfyt 16->142 128 C:\Users\user\AppData\Local\...\4952828.dll, PE32 16->128 dropped 204 Writes to foreign memory regions 16->204 206 Allocates memory in foreign processes 16->206 208 Injects a PE file into a foreign processes 16->208 31 ngentask.exe 16->31         started        39 3 other processes 16->39 33 bohx.exe 18->33         started        35 conhost.exe 18->35         started        144 192.168.2.1 unknown unknown 20->144 210 Query firmware table information (likely to detect VMs) 20->210 212 Changes security center settings (notifications, updates, antivirus, firewall) 20->212 37 MpCmdRun.exe 20->37         started        41 2 other processes 20->41 file5 signatures6 process7 dnsIp8 138 79pmoeyqok8kdsd5apjc4cavdgyxum.f2rxansul6irfyt 22->138 112 C:\Users\user\AppData\Local\...\4945593.dll, PE32 22->112 dropped 174 Writes to foreign memory regions 22->174 176 Allocates memory in foreign processes 22->176 178 Injects a PE file into a foreign processes 22->178 43 ngentask.exe 18 22->43         started        47 fontview.exe 22->47         started        50 ngentask.exe 22->50         started        180 Uses ping.exe to check the status of other devices and networks 27->180 52 PING.EXE 1 27->52         started        54 conhost.exe 27->54         started        56 chcp.com 1 27->56         started        58 conhost.exe 29->58         started        114 C:\Users\user\AppData\...\PsInfo64.exe, PE32+ 33->114 dropped 116 C:\Users\user\AppData\Roaming\...\PsInfo.exe, PE32 33->116 dropped 118 C:\Users\user\AppData\Roaming\...\7zxa.dll, PE32 33->118 dropped 120 4 other files (2 malicious) 33->120 dropped 60 conhost.exe 37->60         started        file9 signatures10 process11 dnsIp12 146 185.246.220.89, 49712, 49713, 49714 LVLT-10753US Germany 43->146 130 C:\Users\user\AppData\...\VbqYHFRL8T0P.exe, PE32 43->130 dropped 132 C:\Users\user\AppData\Roaming\...\bohx.exe, PE32 43->132 dropped 62 VbqYHFRL8T0P.exe 43->62         started        67 VbqYHFRL8T0P.exe 43->67         started        69 cmd.exe 43->69         started        73 2 other processes 43->73 214 Query firmware table information (likely to detect VMs) 47->214 216 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 47->216 218 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 47->218 222 3 other signatures 47->222 71 dllhost.exe 47->71         started        220 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 50->220 148 127.0.0.1 unknown unknown 52->148 file13 signatures14 process15 dnsIp16 150 5bb50ixfbbqedbvdie2wgykbpbunfgn.d18xdkqq6cdudno4seuxbxp7qa 62->150 134 C:\Users\user\AppData\Local\...\4975703.dll, PE32 62->134 dropped 154 Machine Learning detection for dropped file 62->154 156 Writes to foreign memory regions 62->156 158 Allocates memory in foreign processes 62->158 75 ngentask.exe 62->75         started        79 fontview.exe 62->79         started        152 5bb50ixfbbqedbvdie2wgykbpbunfgn.d18xdkqq6cdudno4seuxbxp7qa 67->152 136 C:\Users\user\AppData\Local\...\4983015.dll, PE32 67->136 dropped 160 Injects a PE file into a foreign processes 67->160 81 ngentask.exe 67->81         started        83 fontview.exe 67->83         started        85 systeminfo.exe 69->85         started        87 conhost.exe 69->87         started        89 findstr.exe 69->89         started        162 Tries to harvest and steal browser information (history, passwords, etc) 71->162 164 Maps a DLL or memory area into another process 71->164 91 conhost.exe 73->91         started        file17 signatures18 process19 file20 122 C:\Users\user\AppData\Local\...\Cookies.bak, SQLite 75->122 dropped 182 Tries to harvest and steal browser information (history, passwords, etc) 75->182 184 DLL side loading technique detected 75->184 93 cmd.exe 75->93         started        95 cmd.exe 75->95         started        186 Query firmware table information (likely to detect VMs) 79->186 188 Writes to foreign memory regions 79->188 190 Allocates memory in foreign processes 79->190 198 2 other signatures 79->198 192 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 85->192 194 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 85->194 196 Writes or reads registry keys via WMI 85->196 signatures21 process22 process23 97 bohx.exe 93->97         started        100 conhost.exe 93->100         started        102 conhost.exe 95->102         started        file24 104 C:\Users\user\AppData\...\softokn3.dll, PE32 97->104 dropped 106 C:\Users\user\AppData\Roaming\...\nss3.dll, PE32 97->106 dropped 108 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32 97->108 dropped 110 4 other files (1 malicious) 97->110 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-03-13 01:14:03 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nq7rxeh3bx5l2xzjk6gq3mws7utalc6itr3ozl2r655yizoji2ha._file
Verdict:
malicious
Similar samples:
044e62e14faf9e06d2759ac0d62b4c6cb3a103fe287e235c48ab1c64604cfe3a
Rhadamanthys
28bb20329cf6024057a4834e899520a55dcc7bb6b22ad783069ab2d1e2124e82
Rhadamanthys
3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
Rhadamanthys
3c41412eb5d424cbf29a62862bc2ccc0ba89c32c27e36f5c74a8d16a82fe2331
Rhadamanthys
6a7afb8f7f2a67c98cd75d271fa90b7466adcfd86012fc62e88d5f345d8433d6
Rhadamanthys
7bfaad45889d0cb9d2bde28ef578cbe57cad912dffb0498cadc6306ed4451df4
Rhadamanthys
7d36d865c07e911c5eff4d45c8f7e837b0ffe589cefcd7a8d812477f4e05b5d7
Rhadamanthys
8a7eadc7085b0a572fe4cfe17a02e828107d2f3dc0e1e2730a47fa1bed43e349
Rhadamanthys
9f1ea67ba5281a92142a5daf50f99030fa7778ffeaf2a33c109a4bc95daeb453
Rhadamanthys
b2842c5a354d92ad4ae55a788519408ed4acc2b26cd068fb636596d6f3741c9c
Rhadamanthys
+ 259 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/230313-mc4m5abh6y/
Behaviour
Creates scheduled task(s)
Gathers system information
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
44562aee696769b5e0c72bf97854f0aaea82e1b4f456bb08787dddd620df90a2
MD5 hash:
dfb29900b4fb24834732f84b76a4a92b
SHA1 hash:
bffe70b023858b7d8ee2a7c6b2703deb38189ab6
Link:
https://www.unpac.me/results/d14a747e-c154-4005-a443-360ba92b7097/
SH256 hash:
6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e
MD5 hash:
9de7b350e67a0d7897475816583c8b1b
SHA1 hash:
341509a2fe641c906cd31d8cf77ddcee8d3a1f47
Link:
https://www.unpac.me/results/d14a747e-c154-4005-a443-360ba92b7097/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c3f1b90fb0d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 6c3f1b90fb0dfabd5f29578d0db2d2fd26058bc89c76ecaf51f77b8465c9468e

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/373970/
  
URLhaus
https://urlhaus.abuse.ch/url/2566596/
  
Delivery method
Distributed via web download

Comments