MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed
SHA3-384 hash: 4d3d92d988d521ab1bee5fcca06bd69aa0ccea10a62aa32829c6ccea6d02e7b4371a48543ba0033ac9adf7b0f07921e5
SHA1 hash: 9922a24b92892f920430ae204954dc6e6e1758ff
MD5 hash: d9a13bb5645fe754cdc2a10a638660f4
humanhash: arkansas-mike-helium-beryllium
File name:d9a13bb5645fe754cdc2a10a638660f4.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:490'496 bytes
First seen:2024-04-09 12:51:55 UTC
Last seen:2024-04-09 13:33:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1691b1f290a2ca836b091bdcee4ba1dd (2 x Rhadamanthys)
ssdeep 12288:/rrb2iDiSOv4VBHMQhPymqTCYw4oUGbjnm:/7DB/Dym1YANPnm
Threatray 34 similar samples on MalwareBazaar
TLSH T1ADA46B62BBF59D88CD5D33F3C8506BE5065A433642F3E3885D286A52673F6698B0B13C
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
362
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed.exe
Verdict:
No threats detected
Analysis date:
2024-04-09 12:53:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/acff1463-64cd-4be6-853b-2e00ee54657d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa8f11a5-9477-4f1d-9e3d-19232e604303
Result
Threat name:
Amadey, RHADAMANTHYS, SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1422947
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to inject code into remote processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses string decryption to hide its real strings
Sigma detected: Bypass UAC via Fodhelper.exe
Sigma detected: Capture Wi-Fi password
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Snort IDS alert for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1422947 Sample: e7CLP6462y.exe Startdate: 09/04/2024 Architecture: WINDOWS Score: 100 96 atillapro.com 2->96 126 Snort IDS alert for network traffic 2->126 128 Multi AV Scanner detection for domain / URL 2->128 130 Found malware configuration 2->130 132 17 other signatures 2->132 15 e7CLP6462y.exe 1 2->15         started        17 utihrjr 2->17         started        20 Utsysc.exe 2->20         started        22 Utsysc.exe 2->22         started        signatures3 process4 signatures5 24 dialer.exe 15->24         started        102 Antivirus detection for dropped file 17->102 104 Machine Learning detection for dropped file 17->104 106 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 17->106 108 3 other signatures 17->108 process6 dnsIp7 98 216.250.255.115, 49730, 49733, 49737 AS-TIERP-19019US United States 24->98 27 OpenWith.exe 24->27         started        process8 signatures9 158 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->158 160 Tries to steal Mail credentials (via file / registry access) 27->160 162 Found many strings related to Crypto-Wallets (likely being stolen) 27->162 164 Tries to harvest and steal Bitcoin Wallet information 27->164 30 AppLaunch.exe 5 27->30         started        33 conhost.exe 27->33         started        process10 file11 94 C:\Users\user\AppData\Roaming\D4C0.vmt.exe, PE32 30->94 dropped 35 D4C0.vmt.exe 30->35         started        38 cmd.exe 1 30->38         started        process12 signatures13 134 Antivirus detection for dropped file 35->134 136 Machine Learning detection for dropped file 35->136 138 Maps a DLL or memory area into another process 35->138 140 Creates a thread in another existing process (thread injection) 35->140 40 explorer.exe 17 7 35->40 injected 142 Suspicious powershell command line found 38->142 144 Adds a directory exclusion to Windows Defender 38->144 45 powershell.exe 23 38->45         started        47 conhost.exe 38->47         started        process14 dnsIp15 100 atillapro.com 185.196.8.137, 49739, 49740, 49741 SIMPLECARRER2IT Switzerland 40->100 80 C:\Users\user\AppData\Roaming\utihrjr, PE32 40->80 dropped 82 C:\Users\user\AppData\Local\Temp\B88B.exe, PE32 40->82 dropped 84 C:\Users\user\AppData\Local\Temp\B677.exe, PE32 40->84 dropped 148 Benign windows process drops PE files 40->148 150 Injects code into the Windows Explorer (explorer.exe) 40->150 152 Writes to foreign memory regions 40->152 154 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->154 49 B88B.exe 40->49         started        53 OpenWith.exe 40->53         started        55 explorer.exe 40->55         started        59 10 other processes 40->59 156 Loading BitLocker PowerShell Module 45->156 57 WmiPrvSE.exe 45->57         started        file16 signatures17 process18 file19 78 C:\Users\user\AppData\Local\...\Utsysc.exe, PE32 49->78 dropped 110 Antivirus detection for dropped file 49->110 112 Multi AV Scanner detection for dropped file 49->112 114 Machine Learning detection for dropped file 49->114 116 Contains functionality to inject code into remote processes 49->116 61 Utsysc.exe 49->61         started        118 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->118 120 Tries to steal Mail credentials (via file / registry access) 53->120 122 Tries to harvest and steal browser information (history, passwords, etc) 53->122 124 Tries to harvest and steal Bitcoin Wallet information 53->124 65 AppLaunch.exe 53->65         started        signatures20 process21 file22 86 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 61->86 dropped 88 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 61->88 dropped 90 C:\Users\user\AppData\Local\...\clip64[1].dll, PE32 61->90 dropped 92 C:\Users\user\AppData\Local\...\cred64[1].dll, PE32+ 61->92 dropped 166 Antivirus detection for dropped file 61->166 168 Multi AV Scanner detection for dropped file 61->168 170 Creates an undocumented autostart registry key 61->170 172 2 other signatures 61->172 67 rundll32.exe 61->67         started        69 rundll32.exe 61->69         started        72 schtasks.exe 61->72         started        74 cmd.exe 65->74         started        signatures23 process24 signatures25 146 System process connects to network (likely due to code injection or exploit) 69->146 76 conhost.exe 72->76         started        process26
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-04-09 12:52:05 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qktii64dx4s4wwblxfbhgwrsdf55tn5usdhfb42mjf3aax2ptpwq._file
Verdict:
malicious
Similar samples:
05074675b07feb8e7556c5af449f5e677e0fabfb09b135971afbb11743bf3165
Rhadamanthys
07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
Rhadamanthys
12d3dc8a4fd8a2ebe6a839cce59920156d55e8d06fe2a5c95ad60419086877bb
Rhadamanthys
488c331d38619439353960f4142748daeee729fb73f9535ba550aa6c830a0c7f
Rhadamanthys
70a7c05b84920869900bfb4d677f13d57ced658d907d495a1ffe66e1b0d420da
Rhadamanthys
7956d6d4b29d847f69e99363771fbe91983f4311b407e13860a025ab20869d90
Rhadamanthys
a62a2d2bf6bce86b9a0bf8a43ae74004f94e5e712400a68d2cc062ec72e1fc78
Rhadamanthys
+ 24 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240409-p32ybsfd54/
Unpacked files
SH256 hash:
82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed
MD5 hash:
d9a13bb5645fe754cdc2a10a638660f4
SHA1 hash:
9922a24b92892f920430ae204954dc6e6e1758ff
Link:
https://www.unpac.me/results/d58efd54-6b1f-4490-9795-634706ad0ae2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/82a6847b83bf25cb582bb942735a32197bd9b7b490ce50f34c4976005f4f9bed

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::GetStartupInfoA
WIN_BASE_IO_APICan Create FilesVERSION.dll::GetFileVersionInfoSizeW
VERSION.dll::GetFileVersionInfoW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateMenu
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments