MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
SHA3-384 hash: 7c3f27253b59d7672a9f2c05cc0fdb484ba8c197e48e72b04cd00a5bfd3ae60461bfd53ae50ab573f8d32dc19add74eb
SHA1 hash: 97f716142447128859561a75e4677f978aca7fad
MD5 hash: d92c49ca712a0503de3e182f66e3dcba
humanhash: papa-oven-robin-snake
File name:ChromeSetup
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:143'398 bytes
First seen:2024-03-08 14:33:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ba072a972fe6c47c8cf7a0347bb0af7a (3 x Rhadamanthys, 1 x GuLoader, 1 x RemcosRAT)
ssdeep 768:p+/unhi1zOzZ+/unhi1zOzpBG3uJ1zxTg+/unhi1zOzxM+/unhi1zOz:pti5OzZti5OzpB91tgti5Ozati5Oz
TLSH T1A4E37A327EDA17A9F65190BC1E410BCD3A1A5E96768F4F7B2507BCA1C039CE52C9B780
TrID 37.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
20.0% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
12.7% (.EXE) Win64 Executable (generic) (10523/12/4)
7.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon e9d5f0d5ddd5dde9 (3 x ParallaxRAT, 3 x Rhadamanthys, 1 x CoinMiner)
Reporter rmceoin
Tags:exe


Avatar
rmceoin
eu-pledge.eu/update/ (fake browser update)
->
eu-pledge.eu/update/ChromeSetup.url (URL)
->
file:\\91.92.250.150@80\Downloads\ChromeSetup.exe.lnk (LNK)
->
http://89.23.98.210/ChromeSetup (HTA)
->
eu-pledge.eu/update/ChromeSetup.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
330
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf.exe
Verdict:
Suspicious activity
Analysis date:
2024-03-08 14:40:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/87d115c2-6e21-4b2d-8086-ba67bf4bf80a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching a process
Creating a window
Modifying a system executable file
Searching for the window
Launching a service
Сreating synchronization primitives
Searching for synchronization primitives
Verdict:
No Threat
Threat level:
  2.5/10
Confidence:
100%
Tags:
anti-vm lolbin overlay shell32
Link:
https://www.filescan.io/uploads/65eb21db757c624818a68b75/reports/34089b8e-bf16-4d36-99df-d3439af535dd/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/dccdffac-1973-4e6c-9a66-b9f79d477c0f
Result
Threat name:
n/a
Detection:
clean
Classification:
n/a
Score:
4 / 100
Link:
https://www.joesandbox.com/analysis/1405434
Behaviour
Behavior Graph:
n/a
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=scgke7wei6jxwl4x7vafhkh6vgpulpd6f2ycqfjpema4s74vflhq._file
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240308-rxexqahd94/
Behaviour
Modifies registry class
Suspicious use of SetWindowsHookEx
Unpacked files
SH256 hash:
908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf
MD5 hash:
d92c49ca712a0503de3e182f66e3dcba
SHA1 hash:
97f716142447128859561a75e4677f978aca7fad
Link:
https://www.unpac.me/results/d5e58d77-8d59-4493-a56a-3e77b0337a3d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:QbotStuff
Create hunting rule
Author:anonymous

File information

The table below shows additional information about this malware sample such as delivery method and external references.

e5c44b0338c36ae76e5d99f19bef5495e736a1f628898a5606e2092272b73d07

Rhadamanthys

Shortcut (lnk) lnk d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3

Rhadamanthys

Executable exe 908ca27ec447937b2f97fd4053a8fea99f45bc7e2eb028152f2301c97f952acf

(this sample)

Rhadamanthys

Executable exe 9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef

  
Dropped by
SHA256 d740d3c26404ee20b5d4b9863c9fb4d402518c2a5c752e5a6c79ff060981b3f3
  
Dropping
SHA256 9e495b41518154b5c5cb3fff866aa26c894adf164b2639f05ba23bb5e75be5ef
  
Dropping
MD5 2366f34130db5f39d0d5255782974392
  
Dropped by
MD5 25dcb3a32c4d9c4c7876ff0c8581f7c2

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
api-ms-win-core-processthreads-l1-1-0.dll::GetStartupInfoW

Comments