MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0
SHA3-384 hash: d7fe57b15e3afca5a439e748a38c17ade8d45e74cff712c8a51b67c06c3d6d542f556cd031aff3c2a9c5de38ac8bcfb4
SHA1 hash: db39be662ffcbaad7a874bbe03c9c32d6455cbaf
MD5 hash: 1f58d6a4690fd06dcbf2215f4f4dae7b
humanhash: xray-hamper-football-nebraska
File name:loader.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:399 bytes
First seen:2024-12-04 12:46:15 UTC
Last seen:2024-12-04 12:46:47 UTC
File type:Batch (bat) bat
MIME type:text/x-msdos-batch
ssdeep 12:0G81kTQJrDheJSylFt1M40WFxF52JrDheb9lsiwP:0G4ml2kzDyA9ljy
TLSH T1DEE0C06202B8A305CD308038E3F22F83F247B3878043BB925105B58CA59D04F7AEC401
Magika txt
Reporter JAMESWT_WT
Tags:95-169-201-100 bat Compilazioneprotetticopyright ps1 Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
asyncrat
Create hunting rule
ID:
1
File name:
Documenti relativi alla violazione dei diritti di proprietà intellettuale.lnk
Verdict:
Malicious activity
Analysis date:
2024-12-04 12:41:44 UTC
Tags:
loader rhadamanthys stealer rat asyncrat remote
Link:
https://app.any.run/tasks/a558bfcd-9d18-465e-a78a-a8bd10c4f8ac

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Heur.BZC.ONG.Boxter.371.5694AF26.15241.21804.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=675051b312e85e185e75a94a
Tags:
gumen shell agent sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Сreating synchronization primitives
Connection attempt
Sending an HTTP GET request
Creating a file in the %temp% directory
Creating a process from a recently created file
Searching for the window
Launching the default Windows debugger (dwwin.exe)
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
dropper evasive fingerprint kiosk masquerade packed powershell
Link:
https://www.filescan.io/uploads/67504f49e17bdb6c4d96be74/reports/d8159b4f-5b0c-4925-8293-5b20e5d768ae/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.928
Link:
https://www.hybrid-analysis.com/sample/8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1568257
Signature
AI detected suspicious sample
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Connects to many ports of the same IP (likely port scanning)
Drops large PE files
Found malware configuration
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Powershell drops PE file
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568257 Sample: loader.ps1.bat Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 76 Suricata IDS alerts for network traffic 2->76 78 Found malware configuration 2->78 80 Antivirus detection for URL or domain 2->80 82 6 other signatures 2->82 11 cmd.exe 1 2->11         started        14 msedge.exe 113 376 2->14         started        17 svchost.exe 1 2 2->17         started        process3 dnsIp4 96 Suspicious powershell command line found 11->96 19 powershell.exe 14 31 11->19         started        24 conhost.exe 11->24         started        68 192.168.2.8, 18960, 443, 49704 unknown unknown 14->68 70 192.168.2.4 unknown unknown 14->70 72 239.255.255.250 unknown Reserved 14->72 26 msedge.exe 14->26         started        28 msedge.exe 14->28         started        30 msedge.exe 14->30         started        32 2 other processes 14->32 74 127.0.0.1 unknown unknown 17->74 signatures5 process6 dnsIp7 58 95.169.201.100, 18960, 49706 GOBULNETBG Bulgaria 19->58 56 C:\Users\user\...\123123213123123321132.exe, PE32 19->56 dropped 92 Loading BitLocker PowerShell Module 19->92 94 Powershell drops PE file 19->94 34 123123213123123321132.exe 19->34         started        38 msedge.exe 11 19->38         started        60 13.107.246.40, 443, 49741, 49742 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->60 62 b-0005.b-dc-msedge.net 13.107.9.158, 443, 49709, 49710 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->62 64 10 other IPs or domains 26->64 file8 signatures9 process10 file11 54 C:\Users\user\Videos\...\DiskTuner.exe, PE32 34->54 dropped 84 Multi AV Scanner detection for dropped file 34->84 86 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 34->86 88 Drops large PE files 34->88 90 2 other signatures 34->90 40 123123213123123321132.exe 34->40         started        42 msedge.exe 38->42         started        signatures12 process13 process14 44 fontdrvhost.exe 40->44         started        48 WerFault.exe 40->48         started        dnsIp15 66 104.37.175.232, 49755, 7716 MAJESTIC-HOSTING-01US United States 44->66 98 Switches to a custom stack to bypass stack traces 44->98 50 fontdrvhost.exe 44->50         started        signatures16 process17 process18 52 WerFault.exe 50->52         started       
Score:
0%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rxr5quppy7qnilna5s6gk2vzgnrfsuib2mftntrww7ljrtozttia._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/241204-p32ybswkcv/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Program crash
System Location Discovery: System Language Discovery
Adds Run key to start application
Executes dropped EXE
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Batch (bat) bat 8de3d851efc7e0d42da0ecbc656ab93362595101d30b36ce36b7d698cdd99cd0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3319746/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3319807/

Comments