MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504
SHA3-384 hash: 80e7f7bf7abe791a92d73625abd547fc1b0355c0f9c4f9d1d7a02df96aabdd12b28f363b956d377f57bc1523a3bec56c
SHA1 hash: 2ba8c22c03acb6c0d152187611f18614416d63f2
MD5 hash: 8dc8baf8ce9aa242806809c05bf271e4
humanhash: fish-summer-sink-minnesota
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:7'485'944 bytes
First seen:2024-03-01 09:48:01 UTC
Last seen:2024-03-01 11:22:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 196608:dqn7ZHmlz0Z4TvgYWMkaVv/Az0Z4TvpoJ3YWMka9:dqNHmlzWGvDWMezWGvuJIWMd
TLSH T1277623686A060EBCEBF1B678EBDD432453A42D9502B799CF13D03F897937D43B996081
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 0753b1d1f33e3d0f (2 x LummaStealer, 1 x Formbook, 1 x AveMariaRAT)
Reporter Bitsight
Tags:exe Rhadamanthys


Avatar
Bitsight
url: https://vk.com/doc329118071_675432738?hash=1o8OLPx11m1Zk4DA6pclpnsPTsxA8BSW5hX73QKLdgs&dl=9FjTqIz9NODJW4noi1xMRFSf9gtPCCRZwd9MLC3gUy0&api=1&no_preview=1

Intelligence

File Origin
# of uploads :
3
# of downloads :
429
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Win32.Malware-gen.23614.18539.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65e1a45453c8f1aac459cae9/reports/c886236e-8f26-4617-bbfa-c95975435eda/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/430fba6b-9393-4ca1-b318-5ca90261de48
Result
Threat name:
PureLog Stealer, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1401309
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Connects to many ports of the same IP (likely port scanning)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected PureLog Stealer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1401309 Sample: file.exe Startdate: 01/03/2024 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Yara detected PureLog Stealer 2->37 39 Yara detected RHADAMANTHYS Stealer 2->39 41 5 other signatures 2->41 10 file.exe 3 2->10         started        process3 signatures4 49 Found many strings related to Crypto-Wallets (likely being stolen) 10->49 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->51 53 Writes to foreign memory regions 10->53 55 2 other signatures 10->55 13 AddInProcess32.exe 1 10->13         started        process5 process6 15 dialer.exe 13->15         started        19 WerFault.exe 2 13->19         started        21 WerFault.exe 2 13->21         started        dnsIp7 31 94.156.8.76, 4283, 443, 49710 NET1-ASBG Bulgaria 15->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->33 23 OpenWith.exe 15->23         started        signatures8 process9 signatures10 43 Found many strings related to Crypto-Wallets (likely being stolen) 23->43 45 Tries to harvest and steal browser information (history, passwords, etc) 23->45 47 Tries to harvest and steal Bitcoin Wallet information 23->47 26 wmplayer.exe 23->26         started        process11 signatures12 57 Writes to foreign memory regions 26->57 59 Allocates memory in foreign processes 26->59 29 dllhost.exe 26->29         started        process13
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-03-01 09:49:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
18167
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=re7cyskt237o6gft5lfvgostm3qzxituvxp3zjjuul5qf7iyauca._file
Verdict:
malicious
Result
Malware family:
zgrat
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys family:zgrat rat stealer
Link:
https://tria.ge/reports/240301-lsr4lafd24/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detect ZGRat V1
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
ZGRat
Unpacked files
SH256 hash:
57414bd53292f02fdbba0be476a6adf3f575257e988c056c9b345f4c8bf8417a
MD5 hash:
aad3b4054e4dc26f2d6964440a395f9e
SHA1 hash:
f9e4fe4277600bb68184d2027116423ddeae829e
Link:
https://www.unpac.me/results/c67459ba-e14b-47fe-8ac6-ccccef659c70/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/c67459ba-e14b-47fe-8ac6-ccccef659c70/
SH256 hash:
996525db5a9edd8733ca7eca0acfc505d1c4ea4d7706396795639b3759273dc7
MD5 hash:
a042ee2514e75b2c5f5c73b729d9c537
SHA1 hash:
42a7537234df9e090693406363dfdbc562d4a150
Link:
https://www.unpac.me/results/c67459ba-e14b-47fe-8ac6-ccccef659c70/
SH256 hash:
1fe45cffad12f97cd4826e6d93bcac1e31a01ea275d6f13b619edea295583f21
MD5 hash:
b1c0f00b79b220d89ee935c7840963c6
SHA1 hash:
2e7621b4fc118fd31720a6efc9132608e58f827c
Link:
https://www.unpac.me/results/c67459ba-e14b-47fe-8ac6-ccccef659c70/
SH256 hash:
893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504
MD5 hash:
8dc8baf8ce9aa242806809c05bf271e4
SHA1 hash:
2ba8c22c03acb6c0d152187611f18614416d63f2
Detections:
INDICATOR_EXE_Packed_Babel
Create hunting rule
Link:
https://www.unpac.me/results/c67459ba-e14b-47fe-8ac6-ccccef659c70/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/893e2c4953d6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.64
Link:
https://yomi.yoroi.company/submissions/893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Babel
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Babel
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_imphash
Create hunting rule
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 893e2c4953d6feef18b3eacb533a5366e19ba274addfbca534a2fb02fd180504

(this sample)

  
Dropped by
Privateloader
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments