MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
SHA3-384 hash: 346d7fada8b0152f715c9552758fc5a76efbdcc2b1675b5f5ec1acb6c927970d57fc60311e9e4cecb4e3e5eddd85baa2
SHA1 hash: 2589dbf58d1b16b02405e528bc125f48aa643ddc
MD5 hash: dff334fa8d2c701dba4139875f14c9ff
humanhash: sodium-east-robert-oven
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'094'752 bytes
First seen:2023-12-21 16:13:38 UTC
Last seen:2023-12-21 18:19:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a2b52377798765a91e307d887f9408b3 (1 x Rhadamanthys)
ssdeep 98304:XmQNg/7b+DOWjg5/3xxVAjls6CIcvA/ArCvxU3qthfzJ6FKLN+VzaN44KNPn83Cp:Xev+FkYJCjvWAKmIfzeKL8aNGNPn83Cp
TLSH T165562318AE8C351AE13A24759A23BD3CB07B6F7B56225E04B5BC53D7AFB24484433277
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon e4f0ebcaf4bcf0d8 (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:ActiveReports RDF document API
Issuer:ActiveReports RDF document API
Algorithm:sha512WithRSAEncryption
Valid from:2023-12-10T16:06:41Z
Valid to:2025-09-10T00:00:00Z
Serial number: 676e20ee07fcc949aa7e957832b7bdab
Intelligence: 18 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 334dae18975b4bd4fb9969b2082c4c0f9d126fc484719de39784369c960524cb
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://62.84.96.105/brg.exe

Intelligence

File Origin
# of uploads :
9
# of downloads :
320
Origin country :
US US
Vendor Threat Intelligence
Malware family:
stop
Create hunting rule
ID:
1
File name:
https://akaktif.com/server/release.rar
Verdict:
Malicious activity
Analysis date:
2023-12-21 23:22:07 UTC
Tags:
evasion loader qrcode risepro stealc stealer ransomware stop redline
Link:
https://app.any.run/tasks/3b2a7825-0535-4e04-a610-462b80b9321c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/468818/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.1741.6202.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
89%
Tags:
overlay packed packed
Link:
https://www.filescan.io/uploads/6584644df4b6e5e163538cf0/reports/abad64a9-2ccd-48a0-8ed8-60206637256a/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c8918308-c746-4614-a7fd-67fd153ba54b
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1365662
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Detected VMProtect packer
Found many strings related to Crypto-Wallets (likely being stolen)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Malicious
First seen:
2023-12-21 15:31:55 UTC
File Type:
PE (Exe)
Extracted files:
30
AV detection:
6 of 37 (16.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r7plbe56yc6h3qa667ykuykhnxvk3w7ufkg2fvyr4iljh7b6zpla._file
Verdict:
suspicious
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer vmprotect
Link:
https://tria.ge/reports/231221-tpmnpsbahm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
VMProtect packed file
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
d4d25776ea0683ac75a04d173e7072d5287436ffef850f0336f7dac13efaee0d
MD5 hash:
3c58bf95adf96ddb3a006f3fd42ea3de
SHA1 hash:
df799a2d9534f4230aa010eb28108605378de830
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/dee14f4a-2465-4b86-a302-f672943511f5/
SH256 hash:
8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
MD5 hash:
dff334fa8d2c701dba4139875f14c9ff
SHA1 hash:
2589dbf58d1b16b02405e528bc125f48aa643ddc
Detections:
INDICATOR_EXE_Packed_VMProtect
Create hunting rule
Link:
https://www.unpac.me/results/dee14f4a-2465-4b86-a302-f672943511f5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8fdeb093bec0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/468818/
  
URLhaus
https://urlhaus.abuse.ch/url/2743105/

Comments