MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
SHA3-384 hash: 1001a7c14e7fdfeb4b85013b8bfab0ee121c91663c0636c245db9d9b019d6fbc56a9c00f63a40173f227db473a8aae8f
SHA1 hash: 19f6a799b4777acf208926cee4913c0a889db72e
MD5 hash: 89fe28686a81b90bf1f46b6d46251ce4
humanhash: romeo-lamp-music-illinois
File name:SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:525'312 bytes
First seen:2023-09-16 09:37:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'596 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:pX5JC7oT39ra0hI1iGKsHJwUJ10qx6qhE12:pLC7mtThIcGNSS1VY31
Threatray 366 similar samples on MalwareBazaar
TLSH T1F5B41247BB3BC6B0C284C77AD5EB50C84B55DA8177A3DB29A9CA132517433FA880E54F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
313
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080
Verdict:
Malicious activity
Analysis date:
2023-09-16 09:39:08 UTC
Tags:
rhadamanthys stealer loader ransomware smoke
Link:
https://app.any.run/tasks/17823b98-d35b-4036-98e6-6505dca0d333

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/449008/
Detection(s):
SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6505777b49c6a4ce497ba646/reports/b1db9d17-689e-4174-8648-891f090616a8/overview
Verdict:
Malicious
Labled as:
MSIL.Androm.Generic
Link:
https://www.hybrid-analysis.com/sample/8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7d119d9e-d5aa-41b5-aba6-0fb9414a40e2
Result
Threat name:
Phobos, RHADAMANTHYS, SmokeLoader, Xmrig
Create hunting rule
Detection:
malicious
Classification:
rans.spre.troj.adwa.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1309408
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates autostart registry keys with suspicious names
Creates files in the recycle bin to hide itself
Creates files inside the volume driver (system volume information)
Creates processes via WMI
Deletes itself after installation
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Detected Stratum mining protocol
Drops PE files to the startup folder
Found evasive API chain (may stop execution after checking locale)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Infects executable files (exe, dll, sys, html)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Modifies the context of a thread in another process (thread injection)
Modifies the windows firewall
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sigma detected: Delete shadow copy via WMIC
Sigma detected: Xmrig
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses bcdedit to modify the Windows boot settings
Uses netsh to modify the Windows network and firewall settings
Writes many files with high entropy
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Phobos
Yara detected RHADAMANTHYS Stealer
Yara detected SmokeLoader
Yara detected Xmrig cryptocurrency miner
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1309408 Sample: SecuriteInfo.com.Heur.MSIL.... Startdate: 16/09/2023 Architecture: WINDOWS Score: 100 102 tse1.mm.bing.net 2->102 128 Sigma detected: Xmrig 2->128 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 18 other signatures 2->134 13 Y-eLp.exe 3 2->13         started        16 nij.exe 2->16         started        18 SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe 3 2->18         started        20 4 other processes 2->20 signatures3 process4 signatures5 176 Antivirus detection for dropped file 13->176 178 Multi AV Scanner detection for dropped file 13->178 180 Machine Learning detection for dropped file 13->180 192 3 other signatures 13->192 22 Y-eLp.exe 4 13->22         started        24 Y-eLp.exe 13->24         started        182 Found many strings related to Crypto-Wallets (likely being stolen) 16->182 184 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 16->184 186 Writes to foreign memory regions 16->186 194 2 other signatures 16->194 26 aspnet_compiler.exe 16->26         started        188 Performs DNS queries to domains with low reputation 18->188 30 SecuriteInfo.com.Heur.MSIL.Androm.1.11946.26080.exe 1 18->30         started        190 Creates files inside the volume driver (system volume information) 20->190 32 0hQ.exe 20->32         started        process6 dnsIp7 34 Y-eLp.exe 2 22->34         started        112 141.98.6.38, 39001, 49724, 49725 CMCSUS Germany 26->112 114 transfer.sh 144.76.136.153, 443, 49727 HETZNER-ASDE Germany 26->114 116 192.168.2.1 unknown unknown 26->116 158 Found many strings related to Crypto-Wallets (likely being stolen) 26->158 160 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 26->160 162 Found strings related to Crypto-Mining 26->162 174 3 other signatures 26->174 36 AddInProcess.exe 26->36         started        40 AddInProcess.exe 26->40         started        42 AddInProcess.exe 26->42         started        118 amxt25.xyz 45.131.66.61, 49710, 49718, 49723 LOVESERVERSGB Germany 30->118 44 certreq.exe 4 30->44         started        164 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 32->164 166 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 32->166 168 Maps a DLL or memory area into another process 32->168 170 Checks if the current machine is a virtual machine (disk enumeration) 32->170 47 explorer.exe 32->47 injected signatures8 172 Detected Stratum mining protocol 112->172 process9 dnsIp10 49 Y-eLp.exe 1 34->49         started        104 rx-us-east.unminable.com 165.227.182.82, 3333, 49740 DIGITALOCEAN-ASNUS United States 36->104 106 rx.unmineable.com 36->106 110 2 other IPs or domains 36->110 144 Query firmware table information (likely to detect VMs) 36->144 108 amxt25.xyz 44->108 96 C:\Users\user\AppData\Local\...\nij.exe, PE32+ 44->96 dropped 98 C:\Users\user\AppData\Local\...\Y-eLp.exe, PE32 44->98 dropped 100 C:\Users\user\AppData\Local\...\0hQ.exe, PE32 44->100 dropped 146 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 44->146 148 Tries to steal Mail credentials (via file / registry access) 44->148 150 Performs DNS queries to domains with low reputation 44->150 152 6 other signatures 44->152 51 conhost.exe 44->51         started        53 Y-eLp.exe 47->53         started        56 Y-eLp.exe 47->56         started        58 Y-eLp.exe 47->58         started        file11 signatures12 process13 signatures14 60 Y-eLp.exe 49->60         started        154 Multi AV Scanner detection for dropped file 53->154 62 Y-eLp.exe 53->62         started        process15 process16 64 Y-eLp.exe 60->64         started        file17 88 SplashScreen.bmp.i...rexsdata.pro].8base, DOS 64->88 dropped 90 eula.rtf.id[B88685...rexsdata.pro].8base, COM 64->90 dropped 92 SetupResources.dll...rexsdata.pro].8base, COM 64->92 dropped 94 96 other malicious files 64->94 dropped 120 Creates files in the recycle bin to hide itself 64->120 122 Creates autostart registry keys with suspicious names 64->122 124 Tries to harvest and steal browser information (history, passwords, etc) 64->124 126 Infects executable files (exe, dll, sys, html) 64->126 68 cmd.exe 64->68         started        71 cmd.exe 64->71         started        signatures18 process19 signatures20 136 May disable shadow drive data (uses vssadmin) 68->136 138 Deletes shadow drive data (may be related to ransomware) 68->138 140 Uses netsh to modify the Windows network and firewall settings 68->140 142 3 other signatures 68->142 73 vssadmin.exe 68->73         started        76 conhost.exe 68->76         started        78 WMIC.exe 68->78         started        86 3 other processes 68->86 80 conhost.exe 71->80         started        82 netsh.exe 71->82         started        84 netsh.exe 71->84         started        process21 signatures22 156 Deletes shadow drive data (may be related to ransomware) 73->156
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f/
Threat name:
ByteCode-MSIL.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-09-16 09:38:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
14 of 23 (60.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzpztojdje4b7v3swg63ddgofrszkga7zlipndpckwjso3lbmihq._file
Verdict:
malicious
Similar samples:
34e1a82f7334c825aab19a21d94361c3225ee8ad9a2027830aeea7d82f59ca15
Rhadamanthys
64cc071973e05ae577f32bab349fafb4dba96ba9b8cab272aa5cd9d6074e5a39
Rhadamanthys
bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
Rhadamanthys
c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b
Rhadamanthys
e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099
Rhadamanthys
ed42bb9e3f5959e3d58872874381d92e50c601cd1be46effeb3724ff19eeef71
Rhadamanthys
+ 356 additional samples on MalwareBazaar
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:ammyyadmin family:flawedammyy family:phobos family:rhadamanthys family:smokeloader family:xmrig backdoor bootkit collection evasion miner persistence ransomware rat spyware stealer trojan
Link:
https://tria.ge/reports/230916-ll2pfscd84/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Interacts with shadow copies
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: LoadsDriver
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in Program Files directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Drops desktop.ini file(s)
Writes to the Master Boot Record (MBR)
Checks computer location settings
Deletes itself
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Deletes backup catalog
Downloads MZ/PE file
Modifies Windows Firewall
Deletes shadow copies
Modifies boot configuration data using bcdedit
Renames multiple (312) files with added filename extension
Renames multiple (67) files with added filename extension
XMRig Miner payload
Ammyy Admin
AmmyyAdmin payload
Detect rhadamanthys stealer shellcode
FlawedAmmyy RAT
Phobos
Rhadamanthys
SmokeLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
xmrig
Malware Config
C2 Extraction:
http://serverxlogs21.xyz/statweb255/
http://servxblog79.xyz/statweb255/
http://demblog289.xyz/statweb255/
http://admlogs77x.online/statweb255/
http://blogxstat38.xyz/statweb255/
http://blogxstat25.xyz/statweb255/
Unpacked files
SH256 hash:
04afe6cc011ceb6a1d36d169f3a8c9934e5b3c462911c7f50948b59bc70fdfae
MD5 hash:
67f223f37449539eb665d1bf5e58c215
SHA1 hash:
de8343ad96aeafe1b9c956b523699e33fb5f5a61
Link:
https://www.unpac.me/results/9be96713-b2be-423e-b1ba-e5f366fcd99b/
SH256 hash:
868085c9a85c8bd82667c41ebaca6f218edf752ba84f864aed9ce583ff4884da
MD5 hash:
8b82f38d5787e2d83b2a58201e106158
SHA1 hash:
d424f9864caab1a0c59c71f396bfef6a891c4ea8
Link:
https://www.unpac.me/results/9be96713-b2be-423e-b1ba-e5f366fcd99b/
SH256 hash:
17397790354ec04682dfeffb80a65bb051e2007d796a849ae7a6b8235196473b
MD5 hash:
24d9d13c5ad43fbaf44dad8de2fcc492
SHA1 hash:
9b60d998843736e459730e176654a535ef45b730
Link:
https://www.unpac.me/results/9be96713-b2be-423e-b1ba-e5f366fcd99b/
SH256 hash:
81a81e2130d99e22630fdb30f6637f95b0a896ab996f24a312c2edd862dc4d38
MD5 hash:
c8f84c0e39916d7bf839f9296e04ed9b
SHA1 hash:
0e877b7a25499829527e26f263feadcdd7424a82
Detections:
RhadamanthysLoader
Create hunting rule
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/9be96713-b2be-423e-b1ba-e5f366fcd99b/
Parent samples :
8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade
SH256 hash:
8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f
MD5 hash:
89fe28686a81b90bf1f46b6d46251ce4
SHA1 hash:
19f6a799b4777acf208926cee4913c0a889db72e
Link:
https://www.unpac.me/results/9be96713-b2be-423e-b1ba-e5f366fcd99b/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e5f99b92349/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_bruteratel_syscall_hashes_oct_2022
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2711945/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/449008/

Comments