MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
SHA3-384 hash: 3fff9f10769003aac1dd6e1a8ec8c37afc35141a17e9c9f19f3992591a032a4a44eac28a26523000e0d68705ed34fffd
SHA1 hash: ce87cba0d983f1d85e3a65a0351b4b5d15da31b4
MD5 hash: c6370fd9fec5500a8eb3a0c6a7cb9999
humanhash: colorado-moon-kansas-five
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:458'240 bytes
First seen:2023-06-15 14:58:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 33cfef13ebf9ca3b5ab37b3a07492470 (1 x RedLineStealer, 1 x TeamBot, 1 x Tofsee)
ssdeep 6144:bHpSbEF2KIXm7atCYbzMrBsE10PF86tv77exdj0W8+E8INlWZWneknqi7oH:b4bEKWO4YMNmjvaj0MELNlkknqiU
Threatray 678 similar samples on MalwareBazaar
TLSH T17CA4E102FDF1AC32D626EB728D6AC5E57B1DFDA0CE14266732186A1F09711E0C57237A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0160626a4a627620 (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys


Avatar
andretavare5
Sample downloaded from http://77.105.146.74/cc.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
386
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-06-15 14:58:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6651850c-16eb-4357-8371-5605d5efc3cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/399240/
Detection(s):
SecuriteInfo.com.Variant.Jaik.150242.8636.19086.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Searching for the window
Creating a file
Creating a process from a recently created file
Unauthorized injection to a system process
Sending a TCP request to an infection source
Stealing user critical data
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/90879/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/648b273718c49ae01fbac25b/reports/0352443f-62b5-4a85-bfe0-029cafc14d9f/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/34faf1e0-b7ec-4ecf-9b5d-41681bab68e6
Result
Threat name:
Colibri, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1255405
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops PE files to the document folder of the user
Found C&C like URL pattern
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Yara detected Colibri Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 888424 Sample: file.exe Startdate: 15/06/2023 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 7 Vwwws.exe 18 2->7         started        12 file.exe 1 2->12         started        process3 dnsIp4 31 oraycdn.com 104.21.48.241, 443, 49725 CLOUDFLARENETUS United States 7->31 29 C:\Users\user\Documents\...\dllhost.exe, PE32 7->29 dropped 47 Detected unpacking (changes PE section rights) 7->47 49 Drops PE files to the document folder of the user 7->49 51 Machine Learning detection for dropped file 7->51 53 Uses schtasks.exe or at.exe to add and modify task schedules 7->53 14 dllhost.exe 16 7->14         started        18 schtasks.exe 7->18         started        33 179.43.162.23, 49721, 49722, 49724 PLI-ASCH Panama 12->33 55 Detected unpacking (overwrites its own PE header) 12->55 20 certreq.exe 2 12->20         started        23 WerFault.exe 12->23         started        file5 signatures6 process7 dnsIp8 35 oraycdn.com 14->35 37 172.67.157.3, 443, 49726, 49727 CLOUDFLARENETUS United States 14->37 57 System process connects to network (likely due to code injection or exploit) 14->57 59 Detected unpacking (changes PE section rights) 14->59 61 Machine Learning detection for dropped file 14->61 27 C:\Users\user\AppData\Local\...\Vwwws.exe, PE32 20->27 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->63 65 Tries to steal Mail credentials (via file / registry access) 20->65 67 Tries to harvest and steal browser information (history, passwords, etc) 20->67 71 3 other signatures 20->71 25 conhost.exe 20->25         started        file9 69 Found C&C like URL pattern 35->69 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-06-15 14:59:06 UTC
File Type:
PE (Exe)
Extracted files:
36
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nrgagiy62ab6op6wk2i4lfik45ptkluem6sin2r24nbqporvyklq._file
Verdict:
malicious
Similar samples:
0f13412e34d79c5c24595dbf76c44ded557d8bf22bc420802e7843cc84ef7ded
Rhadamanthys
15d2319d94150b66ce714c7bc4f524d52b9154a9a5fc2f336c744a4d56bd77d9
Rhadamanthys
37e0b7e14eaeeb2205c87261982e272eaa6dd4b95fdd2edc7b2a5b9d29b64a09
Rhadamanthys
4b1a1ad26d581f4670cc0521f6c7fb4ef0370003b149d06f5f40ed637bbd16e4
Rhadamanthys
4c18e4450f968520a7eff7754d5a727e493f66943a0a69b2545596ace09e6578
Rhadamanthys
59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c
Rhadamanthys
695ebf4db6a46967bdecfe41ea5db0b2f96845a460f7d16eb2fcd3111f2dd36c
Rhadamanthys
bcc6c5ebaa7ede4e4485cc0a1884e6e12923e4c7aca85283b2a546c2b8034055
Rhadamanthys
bd60605304be239c72f53cc7b881a7c0aa77b668f3e732ae1ea032b24e052fc0
Rhadamanthys
ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93
Rhadamanthys
+ 668 additional samples on MalwareBazaar
Result
Malware family:
colibri
Create hunting rule
Score:
  10/10
Tags:
family:colibri botnet:bot collection loader
Link:
https://tria.ge/reports/230615-scqddsaa6z/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Program crash
Accesses Microsoft Outlook profiles
Deletes itself
Executes dropped EXE
Loads dropped DLL
Colibri Loader
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://oraycdn.com/gate.php
Unpacked files
SH256 hash:
a13376875d3b492eb818c5629afd3f97883be2a5154fa861e7879d5f770e21d4
MD5 hash:
d0c1a1ed8609b87ba25b771e8144b90c
SHA1 hash:
0da8c2b9e109d97a574f0614550dc2311c331f85
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/5b4553f0-0542-4edb-8ab0-d1825590f4ef/
Parent samples :
bd60605304be239c72f53cc7b881a7c0aa77b668f3e732ae1ea032b24e052fc0
0f13412e34d79c5c24595dbf76c44ded557d8bf22bc420802e7843cc84ef7ded
bcc6c5ebaa7ede4e4485cc0a1884e6e12923e4c7aca85283b2a546c2b8034055
97fbb8c62444ab8fef4af17c33117b43c9f926a45445ecc9fc51138089a75000
695ebf4db6a46967bdecfe41ea5db0b2f96845a460f7d16eb2fcd3111f2dd36c
37e0b7e14eaeeb2205c87261982e272eaa6dd4b95fdd2edc7b2a5b9d29b64a09
ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93
15d2319d94150b66ce714c7bc4f524d52b9154a9a5fc2f336c744a4d56bd77d9
59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c
6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
b5645b317166b0b99f915bd7d5a0de8758c6193c6b6324d4821da47791994595
0ca15ac24cd26ecd4afb42b4c8802bcfc1eb06088ae0d3503fbc732f80429531
7f500eca61d1bb18feeadebda84d65023a482e7ce11b81184e8357973e63a077
ad5fc45f2dd58b5209749b5b5f7aaac5b3413cea80eb200727fa1fd919bb8cf6
c459a4a1f1b9253dde6e26e12e651c3990ce4f9d1c464308d360dbaf7f82235f
c69be220656f8c1b2f425b778bfee586165ab8653b3550e1c8226398429e18a6
1ea3b1f1f09de73b2021a37ef523a55ec13ed673a584e9fd25d80466e806ebf1
c48a7a57d515ae7471b153f2346e0286cdb5707683414d54cb8fa45553ac4087
f72db6936eef06dee9230bb27bfcea84a66773e419807f355bf37fb3f5457947
95bd28472a3dfcffa46dedad1547e5ac3fcad81d35af34a5da524aa380523415
e0a50fbd358e7561e1017edd90a51682f345f6fe8248aa1bf352411ce57d54e3
033bebdf818560c4eba4837b7d7f29a25a0e6876dfa958c4c1dcd8b7665e4f48
c99798d67cbf1e80040257eb9e68f62d966fe53443ca54e120e3a0379152ca80
452c0558713dac55a25f47217368c54ed4d41a97b677c66b4af291cc7f9da862
e3c530a8f37ef3b74788e33c2483ef02b54009a89f981959b0619fab7462afc8
bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910
0af3aa9e62ae449301ef9b3d9965d45775c13b2fc7a662795d39585d5c0fa908
81c68d49323f4cc3f1ad6b3634b9a3d0891daed3822c077a3b1a4a6b0b050551
1eb7e20cc13f622bd6834ef333b8c44d22068263b68519a54adc99af5b1e6d34
098c9f426ab6d50a39469ef17adcf10e50b5e91ff9a7594478354098909970df
811dec9ec1252218598615343fe2e04a62a296e3f156778c4d168b4eec8a0bf0
SH256 hash:
6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297
MD5 hash:
c6370fd9fec5500a8eb3a0c6a7cb9999
SHA1 hash:
ce87cba0d983f1d85e3a65a0351b4b5d15da31b4
Link:
https://www.unpac.me/results/5b4553f0-0542-4edb-8ab0-d1825590f4ef/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c4c03231ed0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c4c03231ed003e73fd65691c5950ae75f352e8467a486ea3ae34307ba35c297

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2660612/
  
URLhaus
https://urlhaus.abuse.ch/url/2649749/
Cape
Cape
https://www.capesandbox.com/analysis/399240/
  
URLhaus
https://urlhaus.abuse.ch/url/2644870/

Comments