MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
SHA3-384 hash: 188591543c375204b3c052ce52263a7569cb0164dce57adf82611e3f319445d1c06e60f3aeb72c62261f73513beae370
SHA1 hash: 67cbaf4b24ccf90ca845626d1ed97831ef0dd55b
MD5 hash: 4c224ad23e402d58bbd23023bf883dc0
humanhash: lemon-mountain-nevada-pasta
File name:SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:506'880 bytes
First seen:2023-08-07 09:04:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 497066eb74b90edfec949c6dfd6acab4 (2 x Rhadamanthys, 1 x RecordBreaker)
ssdeep 12288:hwp22VqKfpoJfgq+mugd256TJzxpQodc5X:hwp26PfOJfgbmBT5c5
Threatray 482 similar samples on MalwareBazaar
TLSH T18EB4CF1362E56871F63346738E2AC6E8EB1FB861FF5477EB12589A2F09701E1C672341
TrID 37.3% (.EXE) Win64 Executable (generic) (10523/12/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
16.0% (.EXE) Win32 Executable (generic) (4505/5/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 70d0dcd0d0c8d2dd (1 x Rhadamanthys)
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
288
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707
Verdict:
Malicious activity
Analysis date:
2023-08-07 09:06:14 UTC
Tags:
rhadamanthys stealer
Link:
https://app.any.run/tasks/70fe7a41-4da1-4a42-83aa-c9efb0cfed4e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/441018/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Searching for the window
Creating a file
Creating a process from a recently created file
Creating a window
Unauthorized injection to a system process
Stealing user critical data
Gathering data
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8565bb37-ff38-492f-8e20-2e6e77402d26
Result
Threat name:
RHADAMANTHYS, SystemBC
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1286984
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates processes via WMI
Deletes itself after installation
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected SystemBC
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1286984 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 07/08/2023 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 9 other signatures 2->45 7 SecuriteInfo.com.Trojan.DownLoader45.64415.16073.8707.exe 1 2->7         started        11 Pae.exe 1 2->11         started        13 powershell.exe 12 2->13         started        15 powershell.exe 11 2->15         started        process3 dnsIp4 35 185.225.73.49, 4851, 49719, 49720 MAYAKBG Germany 7->35 55 Detected unpacking (changes PE section rights) 7->55 57 Detected unpacking (overwrites its own PE header) 7->57 17 certreq.exe 2 7->17         started        21 WerFault.exe 7->21         started        37 discordcdn8839248.com 193.109.85.70, 4327, 49723 M247GB Russian Federation 11->37 59 Multi AV Scanner detection for dropped file 11->59 61 Found evasive API chain (may stop execution after checking mutex) 11->61 63 Machine Learning detection for dropped file 11->63 65 Creates autostart registry keys with suspicious values (likely registry only malware) 11->65 23 Pae.exe 13->23         started        25 conhost.exe 13->25         started        27 conhost.exe 15->27         started        29 Pae.exe 15->29         started        signatures5 process6 file7 33 C:\Users\user\AppData\Local\...\Pae.exe, PE32 17->33 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->47 49 Tries to steal Mail credentials (via file / registry access) 17->49 51 Tries to harvest and steal browser information (history, passwords, etc) 17->51 53 3 other signatures 17->53 31 conhost.exe 17->31         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-07 09:05:07 UTC
File Type:
PE (Exe)
Extracted files:
37
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ossdjkzh33rcgtgbjh5i2ngg2wxvx2vaayh7vv2sh7pi5sjd7gbq._file
Verdict:
malicious
Similar samples:
0166a28ce9868b1121d700105a60cb86924a7d6df1e9a8552a70a5df4106bd0a
Rhadamanthys
09ab57049567b5c2e403f0901b5a9bcc7eab0ea6ae466c315695474c951d590f
Rhadamanthys
2aaae232c889912fe61abafb3dd36bfa3499d21daaf61d8c839ed53c50ffa388
Rhadamanthys
380c81695a2340dbaf8d0427188536d1eddfca4ee41a5aa7d23eb8a91d617c4c
Rhadamanthys
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
Rhadamanthys
4d394ab71802f94b89ba5d62bdb2faebc5b500acbc2a362339ba451517710441
Rhadamanthys
7d2102bb62f4eb41eac647e66f4f37eabce90eece6e0589603108b03ebfe300c
Rhadamanthys
8a049d96c7cb3586360c4936c28a543f8625ac00870a5887478eef8f2a169549
Rhadamanthys
a5fbff72a3aa6120ee4b47120171d9886f0428e36359efcc2b257308a2c78d07
Rhadamanthys
ddad7b5c4546bd2bc27d66de61d76e788e48dbcdbafc1a5a4129e61c2dcc3721
Rhadamanthys
+ 472 additional samples on MalwareBazaar
Result
Malware family:
systembc
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:systembc stealer trojan
Link:
https://tria.ge/reports/230807-k16raafg6y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Deletes itself
Executes dropped EXE
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
SystemBC
Malware Config
C2 Extraction:
discordcdn8839248.com:4327
chinabar821994.com:4327
Unpacked files
SH256 hash:
cf04e46017b62a645895c068d0758ee8b17719ff26b2272b1daa86b7416e9023
MD5 hash:
de3cb8a4b4de0b059eef9506f9846199
SHA1 hash:
04ae01de15037a7ba9c95675d7e9db32fb038ae8
Detections:
RhadamanthysLoader
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/4a02e5d8-5db8-4ef1-9eba-d4cfecfe4752/
SH256 hash:
74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983
MD5 hash:
4c224ad23e402d58bbd23023bf883dc0
SHA1 hash:
67cbaf4b24ccf90ca845626d1ed97831ef0dd55b
Link:
https://www.unpac.me/results/4a02e5d8-5db8-4ef1-9eba-d4cfecfe4752/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/74a434ab27de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security
Rule name:win_bruteratel_syscall_hashes_oct_2022
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 74a434ab27dee2234cc149fa8d34c6d5af5beaa0060ffad7523fde8ec923f983

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/441018/
  
URLhaus
https://urlhaus.abuse.ch/url/2701280/
  
Delivery method
Distributed via web download

Comments