MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments 1

SHA256 hash:	7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90
SHA3-384 hash:	8bcc571bc81cab59ea9d57784eac910ebbdd237dce8cc62599956fc190e19eaef718154757ec631db10b247bcd418e71
SHA1 hash:	c6b4c47300e1371680cac2e39a8ce3dc2ada27f6
MD5 hash:	c58456f1423e916bde295f230485c1cf
humanhash:	wolfram-earth-november-uncle
File name:	c58456f1423e916bde295f230485c1cf.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	558'080 bytes
First seen:	2024-03-24 07:35:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0be152bdfc9ef291ebc79442873fbb26 (2 x LummaStealer, 2 x Rhadamanthys, 1 x Smoke Loader)
ssdeep	12288:xW1s0S5CXGPawnEf12i4pjq3vnSrV/L+hejV5uUNCl:xgS5T3Et2i4pjqf4V/L+AjXhCl
Threatray	14 similar samples on MalwareBazaar
TLSH	T153C4E102B2E3EC50F56ECA324D29C5F4263EFC618D19AB5723787B2F14701A3D662B65
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
File icon (PE):
dhash icon	0008180802020200 (2 x Smoke Loader, 1 x Fabookie, 1 x RedLineStealer)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

550

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90.exe

Verdict:

Suspicious activity

Analysis date:

2024-03-24 07:41:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/367daaef-5432-4765-a719-8406d5c66aee

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching the default Windows debugger (dwwin.exe)

Searching for the window

Launching a process

Moving a file to the Program Files subdirectory

Replacing files

Sending an HTTP GET request

Creating a file in the Program Files subdirectories

Delayed reading of the file

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

fingerprint packed rhadamanthys

Link:

https://www.filescan.io/uploads/65ffd7e5b81a555db48d15a9/reports/885cc734-92a7-4277-87fd-8b9493a19fce/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2009452b-4d5d-4bc3-835d-8f088efb3a80

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1414668

Signature

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2024-03-23 11:53:42 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 23 (91.30%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pflnnvfstwch62pjsnrxoh56sgmd6qyrwqd6codauas2wiegtwia._file

Verdict:

malicious

Rhadamanthys

1efbc80ffd55c78287134a11add66b10bf7b2cd724913721a7f305d483050593

Rhadamanthys

488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f

Rhadamanthys

902ffc3373b854572ad2e3a8e05775430c61a7c59ed7e2ccaba7d6bc2fd2b828

Rhadamanthys

944acac373a28c754566ded96145a946e3a9247eb12a9ddc5c02c45a2523fd4b

Rhadamanthys

e1d3a9a0ce88a02aae8e67f0e37f0682677bd1b791767460566f4f645fc443c3

Rhadamanthys

+ 4 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240324-je84vade7s/

Behaviour

Program crash

Unpacked files

SH256 hash:

bc5e95f6cdf9cb5a058e8a4eed0c5f0d9b64cd30f162723263250cdb29d16338

MD5 hash:

5aa6ba16a50ec2521164b27bfb18a8a0

SHA1 hash:

ee74ea1b92a83f6df4819bb7486a88fa11e830c6

Link:

https://www.unpac.me/results/8b008a32-bcb5-4d20-b605-19480c3546e8/

SH256 hash:

7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90

MD5 hash:

c58456f1423e916bde295f230485c1cf

SHA1 hash:

c6b4c47300e1371680cac2e39a8ce3dc2ada27f6

Link:

https://www.unpac.me/results/8b008a32-bcb5-4d20-b605-19480c3546e8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2790112/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::FindFirstVolumeMountPointW KERNEL32.dll::SetSystemPowerState KERNEL32.dll::LoadLibraryA KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetVolumeInformationA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::PeekConsoleInputW KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetConsoleTextAttribute KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleAliasExesLengthA KERNEL32.dll::GetConsoleAliasW KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW KERNEL32.dll::GetWindowsDirectoryA KERNEL32.dll::RemoveDirectoryA
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::QueryDosDeviceA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

Kasibe commented on 2024-03-29 14:27:53 UTC

Glupteba