MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470
SHA3-384 hash: 215c35bcf92048243e8c190995a73fa7fee754ff2db51ac819cd6a08ecf40ddac61cf76d2cdcd2896e1a50665b199526
SHA1 hash: 5a4aee5509aa4b4120744a352f8308cbca9d11f9
MD5 hash: 76c381eb894e292b95a9b7bd61771c3f
humanhash: india-saturn-maine-maine
File name:file.bin
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'615'752 bytes
First seen:2024-02-06 21:44:24 UTC
Last seen:2024-02-06 23:26:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 746879dbbd39059ca76eac28e16e6b65 (1 x Rhadamanthys)
ssdeep 24576:Ox0rRW5+xSYA/hAybF3GKxUxABMaHIHk3:Ox2yq0lGBybk8
TLSH T1B975AF22E1B1D433C973163D9F2B9675582A7F102D29A44A3BF55E4C7F382833A352A7
TrID 35.5% (.EXE) Win32 Executable Delphi generic (14182/79/4)
32.8% (.SCR) Windows screen saver (13097/50/3)
11.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.1% (.EXE) Win16/32 Executable Delphi generic (2072/23)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 399998ecd4d46c0e (572 x Quakbot, 137 x ArkeiStealer, 82 x GCleaner)
Reporter Anonymous
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
465
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/474950/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.8052.799.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint hook keylogger masquerade overlay packed
Link:
https://www.filescan.io/uploads/65c2a866bf0e860d2bda16d7/reports/fa208b90-851e-4932-b31d-d924ad191253/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FlashDevelop
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d35cd250-3f1e-4dbd-bc14-4e592a411a7b
Result
Threat name:
CryptOne, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1387885
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2024-02-06 18:12:00 UTC
File Type:
PE (Exe)
Extracted files:
70
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qa6gcutss2aytlsala7igyke53vnhov3cktaqbnuzb4wbubqorya._file
Verdict:
malicious
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/240206-1l2rsahad8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Deletes itself
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
c5540b4f5422fffd103f801ea2623fa400135a27e50140bc1fa2e10592c555ba
MD5 hash:
6c6644091182bf38cdb2d416b89e2f20
SHA1 hash:
a46455c5edbfa458328ce10749611a3f6bdf859f
Link:
https://www.unpac.me/results/026dc17f-268a-4095-8cd5-f5f3c413d979/
SH256 hash:
803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470
MD5 hash:
76c381eb894e292b95a9b7bd61771c3f
SHA1 hash:
5a4aee5509aa4b4120744a352f8308cbca9d11f9
Link:
https://www.unpac.me/results/026dc17f-268a-4095-8cd5-f5f3c413d979/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/803c61527296/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/474950/

Comments