MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da
SHA3-384 hash: 81fc978d1bfcf411418df17a003444cf924fd0604ea755c100d548e15dad86d2ec7476a469d773594e7ea4d3d2d9e6d7
SHA1 hash: fe75921d34550955cd1ca4eb2d4cb8a7d22f6183
MD5 hash: 560024efca8e5730dc4decf2e2c252db
humanhash: glucose-alpha-eighteen-lion
File name:TSWY.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:7'441'933 bytes
First seen:2025-02-11 12:58:23 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24576:yzGnCpwGXbfNGnsira1gtnWwTf3d0jVT491534miKB8n0x0JmIt5qan7ikN+ei49:W
Threatray 60 similar samples on MalwareBazaar
TLSH T14E7694F80C5AB181F677CA26BAAC7C55022535ABE6CE1F00C36CF5D45EEDB627A0444E
Magika powershell
Reporter JAMESWT_WT
Tags:daddychill-nl ps1 Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67ab49aff667f46cd183035c
Tags:
vmdetect virus blic
Verdict:
Suspicious
Labled as:
Dropper/PowerShell.Agent
Link:
https://www.hybrid-analysis.com/sample/8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da
Result
Verdict:
UNKNOWN
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1612057
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Powershell drops PE file
Suricata IDS alerts for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1612057 Sample: TSWY.ps1 Startdate: 11/02/2025 Architecture: WINDOWS Score: 100 60 daddychill.nl 2->60 62 x.ns.gin.ntt.net 2->62 64 8 other IPs or domains 2->64 88 Suricata IDS alerts for network traffic 2->88 90 Found malware configuration 2->90 92 Malicious sample detected (through community Yara rule) 2->92 94 5 other signatures 2->94 11 powershell.exe 16 2->11         started        15 msedge.exe 16 71 2->15         started        17 svchost.exe 1 2 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\eRSg.mp3, PE32+ 11->58 dropped 104 Found many strings related to Crypto-Wallets (likely being stolen) 11->104 106 Powershell drops PE file 11->106 19 conhost.exe 11->19         started        21 conhost.exe 11->21         started        23 msedge.exe 15->23         started        25 msedge.exe 15->25         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        signatures6 process7 dnsIp8 32 eRSg.mp3 1 19->32         started        35 msedge.exe 23->35         started        38 msedge.exe 23->38         started        80 ssl.bingadsedgeextension-prod-europe.azurewebsites.net 94.245.104.56, 443, 49993 MICROSOFT-CORP-MSN-AS-BLOCKUS United Kingdom 25->80 process9 dnsIp10 84 Multi AV Scanner detection for dropped file 32->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->86 40 fontdrvhost.exe 6 32->40         started        44 WerFault.exe 2 32->44         started        66 googlehosted.l.googleusercontent.com 142.250.185.225, 443, 50002, 50003 GOOGLEUS United States 35->66 68 chrome.cloudflare-dns.com 162.159.61.3, 443, 50007, 50008 CLOUDFLARENETUS United States 35->68 70 clients2.googleusercontent.com 35->70 signatures11 process12 dnsIp13 74 daddychill.nl 202.49.176.215, 1537, 49890, 50005 HDSVDCNZ-AS-APReveraNZLimitedNZ New Zealand 40->74 76 time-a-g.nist.gov 129.6.15.28, 123, 56896 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 40->76 78 6 other IPs or domains 40->78 96 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->96 98 Tries to steal Mail credentials (via file / registry access) 40->98 100 Found many strings related to Crypto-Wallets (likely being stolen) 40->100 102 2 other signatures 40->102 46 chrome.exe 40->46         started        49 msedge.exe 14 40->49         started        51 wmprph.exe 40->51         started        signatures14 process15 dnsIp16 82 239.255.255.250 unknown Reserved 46->82 53 chrome.exe 46->53         started        56 msedge.exe 49->56         started        process17 dnsIp18 72 127.0.0.1 unknown unknown 53->72
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rlcvtjkv7ayxxqpisu6aohjyuy7rpeu3ksqlyvmjijqhgyt4m3na._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
00b1dbb467fd9362fd4f5a3e76ef16f3b4abe4fb620e62aa00a7bdae67c0042a
Rhadamanthys
0909cf95903c9f07651f4361b8e929c53a62162f6eaaeb11b0dd70eaef2c2784
Rhadamanthys
29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7
Rhadamanthys
357829b06c1c185e44efa729dd8671487a43778a3be1b6f46c7956f4d4cb49e2
Rhadamanthys
51698570a9c637ec0c9bc2b3ca6acb7edf3d7804c49b8eed33e82573950877dd
Rhadamanthys
5227b0678f64770fbe06ac5afd7686f2f50d4b186b22012693ab9e87c0d2521f
Rhadamanthys
642a7f341146d4b2a5381186ec636a8e0ce7ccc16bb730be331e51d6e65f4db3
Rhadamanthys
a6e44787ce9ccbcf4b60bb74db99a6f1954b0404f42de69b7b3294a3597e2848
Rhadamanthys
error
Rhadamanthys
+ 50 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery execution stealer
Link:
https://tria.ge/reports/250211-p76r3sskfy/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects Rhadamanthys payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_PatchWork_BADNEWS_20211105
Create hunting rule
Description:Detects PatchWork Group RTF or BADNEWS
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

PowerShell (PS) ps1 8ac559a555f8317bc1e8953c071d38a63f17929b54a0bc5589426073627c66da

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3436073/
  
Delivery method
Distributed via web download

Comments