MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
SHA3-384 hash: 80896c49a86cc41f41a242bdc7cf133a4476984836799af3a06d39fc01a06b47619843c4fdc007809a0b62f025d83a36
SHA1 hash: 597a28dc407bd232db2d891b51d40b2a779f89af
MD5 hash: f7cdd37705bd314230ac86f43756d0ba
humanhash: idaho-batman-diet-nineteen
File name:73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'314'244 bytes
First seen:2024-12-18 12:55:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash be41bf7b8cc010b614bd36bbca606973 (195 x LummaStealer, 126 x DanaBot, 63 x Vidar)
ssdeep 24576:dCupFXzfTmVAsxPOCYw/P6Vd1cQZ4u9sdxjbE9mcSbw10bi79FgjX:t26sxP+w/P6v1cQZwxjc2b7b22
Threatray 170 similar samples on MalwareBazaar
TLSH T1815533A3C7E40432EAF14FB6B9781C344EB5BD1A59B8C05A634504AEFA29DCD4C173A7
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
File icon (PE):PE icon
dhash icon 00f87878c87a32d4 (1 x Rhadamanthys)
Reporter JAMESWT_WT
Tags:92-255-85-148 exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
446
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
Verdict:
Malicious activity
Analysis date:
2024-12-18 14:36:46 UTC
Tags:
autoit rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/a8e4b62b-9858-4ee6-a549-b747d8d8433a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Malware.Runner-10038996-0
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6762c639653a8698dfda8ef8
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/6762c66a41118fded02e3d67/reports/19632cda-f60f-4b13-a692-b121f306f5e4/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0daf5c5d-8a14-424e-8dab-378d3f7a9250
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1577524
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1577524 Sample: H3G7Xu6gih.exe Startdate: 18/12/2024 Architecture: WINDOWS Score: 100 72 ts1.aco.net 2->72 74 time.google.com 2->74 76 7 other IPs or domains 2->76 106 Suricata IDS alerts for network traffic 2->106 108 Multi AV Scanner detection for submitted file 2->108 110 Yara detected RHADAMANTHYS Stealer 2->110 112 3 other signatures 2->112 12 H3G7Xu6gih.exe 25 2->12         started        15 msedge.exe 2->15         started        signatures3 process4 file5 70 C:\Users\user\AppData\Local\Temp\Acute, DOS 12->70 dropped 17 cmd.exe 3 12->17         started        21 msedge.exe 15->21         started        23 msedge.exe 15->23         started        26 msedge.exe 15->26         started        28 msedge.exe 15->28         started        process6 dnsIp7 68 C:\Users\user\AppData\Local\...\Senegal.com, PE32+ 17->68 dropped 104 Drops PE files with a suspicious file extension 17->104 30 Senegal.com 17->30         started        33 cmd.exe 2 17->33         started        35 conhost.exe 17->35         started        42 7 other processes 17->42 37 msedge.exe 21->37         started        40 msedge.exe 21->40         started        84 ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56, 443, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 23->84 file8 signatures9 process10 dnsIp11 122 Modifies the context of a thread in another process (thread injection) 30->122 124 Injects a PE file into a foreign processes 30->124 126 Found direct / indirect Syscall (likely to bypass EDR) 30->126 44 Senegal.com 1 30->44         started        78 googlehosted.l.googleusercontent.com 172.217.17.65, 443, 49741 GOOGLEUS United States 37->78 80 chrome.cloudflare-dns.com 162.159.61.3, 443, 49742, 49743 CLOUDFLARENETUS United States 37->80 82 clients2.googleusercontent.com 37->82 signatures12 process13 signatures14 120 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 44->120 47 svchost.exe 6 44->47         started        51 WerFault.exe 2 44->51         started        process15 dnsIp16 92 185.147.124.244, 2456, 49707, 49726 E-STYLEISP-ASRU Russian Federation 47->92 94 time-a-g.nist.gov 129.6.15.28, 123, 63981 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 47->94 96 6 other IPs or domains 47->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 47->98 100 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 47->100 102 Tries to harvest and steal browser information (history, passwords, etc) 47->102 53 wmprph.exe 47->53         started        56 chrome.exe 47->56         started        59 msedge.exe 14 47->59         started        signatures17 process18 dnsIp19 114 Writes to foreign memory regions 53->114 116 Allocates memory in foreign processes 53->116 61 dllhost.exe 53->61         started        86 239.255.255.250 unknown Reserved 56->86 118 Found many strings related to Crypto-Wallets (likely being stolen) 56->118 64 chrome.exe 56->64         started        66 msedge.exe 59->66         started        signatures20 process21 dnsIp22 88 92.255.85.148, 443, 49755, 49781 SOVTEL-ASRU Russian Federation 61->88 90 127.0.0.1 unknown unknown 64->90
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8/
Threat name:
Win32.Ransomware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-11-19 15:42:58 UTC
File Type:
PE (Exe)
Extracted files:
16
AV detection:
15 of 38 (39.47%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=op3aretlpsw4jcwwk35pe3ep6mm47ko37ovwvllgehse2fc4qk4a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
03a1a478360f687b547445d82320989121f006f3cead2e3e6b9c02fde90b3f22
Rhadamanthys
08ec2bbf9b90c71fcfb135214e597399d489cd623d5c71c9665278ad30a0a6a7
Rhadamanthys
21bc3627dfb259dd9f09f9602796e8b315f5699fcd78df5525a8823961c192e9
Rhadamanthys
459443def8fd0c940b2da33d9703fcf5771dbcd9ce4aff2dcc670528c1d1d3c1
Rhadamanthys
73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
Rhadamanthys
7f714d1fe31c0e0b58f6e98c86717c8e62dcf722513de35d25e9f31330d4027f
Rhadamanthys
error
Rhadamanthys
+ 160 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/241218-p5wjbszley/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
Win.Malware.Runner-10038996-0
YARA:
n/a
Link:
https://app.threat.zone/submission/4de581aa-cc13-4444-a951-57024b0ef3ed
Unpacked files
SH256 hash:
73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8
MD5 hash:
f7cdd37705bd314230ac86f43756d0ba
SHA1 hash:
597a28dc407bd232db2d891b51d40b2a779f89af
Link:
https://www.unpac.me/results/7e296bc1-55a1-4248-8865-416def184848/
Malware family:
CryptBot.v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/73f608926b7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/73f608926b7cadc48ad656faf26c8ff319cfa9dbfbab6aad6621e44d145c82b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments