MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b
SHA3-384 hash: 6fa4bfe95b09435a99d1141847efe34ce1df320c366132643a300239d1e39d7eae7758ef2340736b170c5aaf8a318a29
SHA1 hash: f20077c422d3de10c0b198d4ed7e0e4ef9dedd9c
MD5 hash: 2b3033eb3cf9e02a32a990eb327b68d4
humanhash: item-fillet-finch-low
File name:TradingView_premium.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'720'321 bytes
First seen:2023-01-21 21:01:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 24576:JmAnMI0lHw8RNFwgsHQTv8+qMOBgyGWTAB:JmYA18gsHWnyGWTAB
Threatray 981 similar samples on MalwareBazaar
TLSH T18685188031A84849F17F0B7582735DE61B757F4BAAADDA1E0C9275CE20F37018927B6B
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter Chainskilabs
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
322
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355446/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Creating a file
Сreating synchronization primitives
Sending an HTTP GET request
Creating a file in the %AppData% directory
Deleting a recently created file
Reading critical registry keys
Creating a file in the %temp% directory
Using the Windows Management Instrumentation requests
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching the default Windows debugger (dwwin.exe)
Forced system process termination
Running batch commands
Creating a process with a hidden window
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint overlay stealer
Link:
https://www.filescan.io/uploads/63cc52cd2d4f6d560e22434d/reports/61b8706d-e663-4af5-85a3-1128422efa31/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/1c22e684-56bf-4acb-9a3e-dc15dfa6f2d1
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156299
Signature
.NET source code contains very large array initializations
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Contains functionality to hide user accounts
Creates processes via WMI
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789031 Sample: TradingView_premium.exe Startdate: 21/01/2023 Architecture: WINDOWS Score: 100 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 10 other signatures 2->68 8 TradingView_premium.exe 3 2->8         started        12 WmiPrvSE.exe 2->12         started        14 JTKvijqoGC.exe 1 2->14         started        process3 dnsIp4 48 C:\Users\user\...\TradingView_premium.exe.log, CSV 8->48 dropped 86 Writes to foreign memory regions 8->86 88 Injects a PE file into a foreign processes 8->88 17 InstallUtil.exe 1 8->17         started        22 4339.tmp.exe 2 12->22         started        24 2204.tmp.exe 12->24         started        60 45.159.189.105, 49801, 80 HOSTING-SOLUTIONSUS Netherlands 14->60 90 Antivirus detection for dropped file 14->90 file5 signatures6 process7 dnsIp8 54 62.233.51.95, 49726, 49741, 49760 DivisionWRSBE unknown 17->54 44 C:\Users\user\AppData\...\nsis_uns5a97b6.dll, PE32+ 17->44 dropped 70 Found evasive API chain (may stop execution after checking system information) 17->70 72 Contains functionality to detect virtual machines (IN, VMware) 17->72 74 Found API chain indicative of debugger detection 17->74 84 4 other signatures 17->84 26 rundll32.exe 4 17->26         started        46 C:\Users\user\AppData\...\JTKvijqoGC.exe, PE32 22->46 dropped 76 Antivirus detection for dropped file 22->76 78 Multi AV Scanner detection for dropped file 22->78 80 Machine Learning detection for dropped file 22->80 30 cmd.exe 1 22->30         started        56 youtube-ui.l.google.com 172.217.168.46, 443, 49767 GOOGLEUS United States 24->56 58 www.youtube.com 24->58 82 Tries to harvest and steal browser information (history, passwords, etc) 24->82 32 cmd.exe 1 24->32         started        file9 signatures10 process11 file12 50 C:\Users\user\AppData\Local\...\4339.tmp.exe, PE32 26->50 dropped 52 C:\Users\user\AppData\Local\...\2204.tmp.exe, PE32+ 26->52 dropped 92 System process connects to network (likely due to code injection or exploit) 26->92 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->94 96 Tries to steal Mail credentials (via file / registry access) 26->96 100 3 other signatures 26->100 34 WerFault.exe 26->34         started        98 Uses schtasks.exe or at.exe to add and modify task schedules 30->98 36 conhost.exe 30->36         started        38 schtasks.exe 1 30->38         started        40 conhost.exe 32->40         started        42 choice.exe 1 32->42         started        signatures13 process14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b/
Threat name:
ByteCode-MSIL.Infostealer.Rhadamanthus
Create hunting rule
Status:
Malicious
First seen:
2023-01-21 21:02:10 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
43
AV detection:
10 of 26 (38.46%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=seojs2o72hr7rh6aa6hfhh4p2exxkgue57xxj5iguma4xivzaefq._file
Verdict:
malicious
Similar samples:
357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
Rhadamanthys
59494a51618f234021c0dae2d87667ce9e431b8a75a1b4952d3e48bf71492fbb
Rhadamanthys
6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778
Rhadamanthys
65a2b3cf112d50e941051116e68b736239d521bf7611e143ae1c83f93716f6f5
Rhadamanthys
8d7c1cb321e7b41dc11548e8a3e02c0394e50494b06d499e0465eb3919372d04
Rhadamanthys
90ac709312ca3f366e138a84bb93d453544fc227d525fbef47b4d7a90ac6f820
Rhadamanthys
9a2232a4a9ceef2c3fcfee0acca71d5717395aff8abd1b6b26aa3a5c266b3fae
Rhadamanthys
a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50
Rhadamanthys
c6135818ddc5d31afa68f42f21e1da3e19f879096298ccb84f68803847235004
Rhadamanthys
eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285
Rhadamanthys
+ 971 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/230121-zvfp8sdh59/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b
MD5 hash:
2b3033eb3cf9e02a32a990eb327b68d4
SHA1 hash:
f20077c422d3de10c0b198d4ed7e0e4ef9dedd9c
Link:
https://www.unpac.me/results/5f754a50-96f1-47dd-9f07-b60d56bb6146/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.81
Link:
https://yomi.yoroi.company/submissions/911c9969dfd1e3f89fc0078e539f8fd12f751a84efef74f506a301cba2b9010b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355446/

Comments