MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
SHA3-384 hash: 733c759460c33beb1ab7d5eb2738491230a43189b6260904083f03c3b2298e9450c39072d76bb4f84b139b2dc9e65d6f
SHA1 hash: fcb82785c04b3b805c58ca20d24e83c28dc73fc8
MD5 hash: 3798e6dae3df606799111b63bf54aad9
humanhash: quebec-carbon-sad-artist
File name:3798e6dae3df606799111b63bf54aad9
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'935'808 bytes
First seen:2023-08-14 16:40:34 UTC
Last seen:2023-08-24 15:48:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a463a2c6c08e7ffc59f3680d77294ba6 (1 x Rhadamanthys)
ssdeep 49152:8LlbRy6IhvK/V31U38RFhNFPZrzRFYErhMf0fGPj3j:8ZbRy6IhvK/rU38RFhLPZrzROEtMdjj
Threatray 175 similar samples on MalwareBazaar
TLSH T168D53271B3E19AADC241EA3126765B004D165F5E3F3C470D3F4F753A1EBAE0A208A95B
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4505/5/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon 8e32331717178ecc (1 x Rhadamanthys)
Reporter zbetcheckin
Tags:32 exe Rhadamanthys

Intelligence

File Origin
# of uploads :
4
# of downloads :
370
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
6523.exe
Verdict:
Malicious activity
Analysis date:
2023-08-14 14:43:06 UTC
Tags:
loader smoke trojan stealer redline vidar ransomware stop arkei fabookie
Link:
https://app.any.run/tasks/4604be5e-c7ef-4322-91c8-9636659b9840

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/442688/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.14138.312.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/102851/overview
Behaviour
MalwareBazaar
MeasuringTime
AntidebugCommonApi
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/64da591e2a1db2a88acf4505/reports/c43be014-ba1c-4422-bfea-7de2c3c3ab40/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a181d42d-b3fa-4e3d-be3a-8a111e53edc7
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1291082
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-08-14 04:40:14 UTC
File Type:
PE (Exe)
Extracted files:
87
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rz346siokat3gx5slx4inomr7hdd67wlzjsk742m2wm2llm4mp6q._file
Verdict:
unknown
Similar samples:
0dd1d1a74f49a15f9b7dcfc7890060807198b74b835cb17f60886a0f2c9c1376
Rhadamanthys
1cc4fab54263dfa842c80a72b78a9c223894264b9b4f25263d8fdc2f69def8a1
Rhadamanthys
28ca1fe12d85075d947b1bc3292c14cba784ed1e22287e56819d9a1d86b2f7e4
Rhadamanthys
3e924b372c019c41e9995a276ce5c1b1487d14ceb9fbc8d606a09a83df5989b8
Rhadamanthys
7fa868c908374d9a48101bf8ed26b2f2c762773594106f176bd4ca279a91932c
Rhadamanthys
bf71631457bec8633d10c816bfa914ef51bee4acda9a37c2613697976a21decb
Rhadamanthys
d99fdee30a323b0ed4cfbd9c4661530f45b368f829869604fb9a83debfff7a32
Rhadamanthys
daff7ba0e08e663f81f9b13a759221cb626b0e5cf45a6b17bb4d65663023cf78
Rhadamanthys
f842837f9f2f4794a3e909771825541f207304a5148cc630812be2ae71253d1b
Rhadamanthys
ff3949d2a8e0d6b08d2b8b643cdfc6a26f44352da217b4a537e9c16d96ed7198
Rhadamanthys
+ 165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230814-t6321sfe9z/
Unpacked files
SH256 hash:
8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd
MD5 hash:
3798e6dae3df606799111b63bf54aad9
SHA1 hash:
fcb82785c04b3b805c58ca20d24e83c28dc73fc8
Link:
https://www.unpac.me/results/43e94a65-256b-46f0-8266-2e304f3442e5/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_Debugger
Create hunting rule
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__RemoteAPI
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 8e77cf490e5027b35fb25df886b991f9c63f7ecbca64aff34cd599a5ad9c63fd

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2704515/
Cape
Cape
https://www.capesandbox.com/analysis/442688/

Comments


Avatar
zbet commented on 2023-08-14 16:40:35 UTC

url : hxxp://193.109.85.112/ewrqqfaaa.exe