MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e
SHA3-384 hash:	9428e7cc27817d707253f4ae724f66bcc57bceef1429f7f4803bf92cbdaf04cdc68cfc6dc005d742ea5933e658dc9428
SHA1 hash:	c6d99445feb44156696b6ea852b42271eaa0c2ea
MD5 hash:	c9278696675d3ea851b08bf258e6d323
humanhash:	oven-lima-leopard-cold
File name:	setup.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	367'616 bytes
First seen:	2023-03-17 15:36:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6e76b494f1a9946f83b6b72033f310be (7 x Smoke Loader, 4 x Rhadamanthys, 4 x RedLineStealer)
ssdeep	6144:pbJ7LoRRC9a4LruQyjhqdIG8j/sGqYJz+LCRBfx21QcVxn3tu:ZJ7kR+a4vMH/SuEJVDu
Threatray	279 similar samples on MalwareBazaar
TLSH	T117745C0392A17C49F9264B729E1FD2E8771EF6D28E89776532189E1F04F2172D263F90
TrID	37.3% (.EXE) Win64 Executable (generic) (10523/12/4) 17.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 16.0% (.EXE) Win32 Executable (generic) (4505/5/1) 7.3% (.ICL) Windows Icons Library (generic) (2059/9) 7.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):
dhash icon	26274a2212220b14 (1 x Rhadamanthys)
Reporter	Chainskilabs
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

225

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup.exe

Verdict:

Malicious activity

Analysis date:

2023-03-17 15:37:02 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/1d3f69fe-1497-4285-9549-c5b3224b942e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/375145/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/73615/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

gandcrab gozi greyware lockbit packed

Link:

https://www.filescan.io/uploads/6414891ec65d1ebf04c10ca5/reports/e01dd81e-f18c-42cd-b8e8-40c52504a696/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6cddd875-c255-44cf-8ab3-71a12ca3ae12

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1195995

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Early bird code injection technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-03-17 15:37:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ql7gficb52wrl4amyvilrdk6ppvc5da3egfjge2qvf3ipterejpa._file

Verdict:

malicious

Rhadamanthys

2473d2451cb6e066df31a2457c700cd9e0b1585db96716c981b3f34deffdfd26

Rhadamanthys

2a47c2d84f330efa04265b34e7dc1fd149954c5f1110c6896414f313b7ce17a2

Rhadamanthys

4532489becbdf07bc0a932486ab95b497113f5600c7646b635eaea9bcfa430cd

Rhadamanthys

4a032ce9dfb9bb82989ea0eb406deeae00778e3aef234b67a64ee713c7e7dba9

Rhadamanthys

6c89be96a021e75087a7f43cf5cd05293e1d3428c3a051f970cac9ce9895e555

Rhadamanthys

7208178bb02eab02073ace2c7a3a7be128e1eb168d8d710367e60f1abf3eac2c

Rhadamanthys

7e4dac07d2696331da92d33b3b8d888dbd60272845ebc7889ace9709d6cda45a

Rhadamanthys

a8b8116afae21d9c0edaf717611b611b78d0a097c303bfbe596ec4ead69897fe

Rhadamanthys

+ 269 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys evasion stealer

Link:

https://tria.ge/reports/230317-s2f61sgh65/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Looks for VMWare Tools registry key

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

8f587ff1d28f265508527a9bd1fa742426c4c6f994187bc7c78631e0f4488e1d

MD5 hash:

5b6cb2e6bc1c5e2d1a7f2b332ea87ffc

SHA1 hash:

269705a65f9c605048281a620c5c374988d2a7af

Link:

https://www.unpac.me/results/c9e2cf36-15a3-4874-9022-13eb8de2efa5/

SH256 hash:

82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e

MD5 hash:

c9278696675d3ea851b08bf258e6d323

SHA1 hash:

c6d99445feb44156696b6ea852b42271eaa0c2ea

Link:

https://www.unpac.me/results/c9e2cf36-15a3-4874-9022-13eb8de2efa5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/82fe62a041eead15f00cc550b88d5e7bea2e8c1b218a931350a97687cc91225e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.