MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 17

Intelligence 17 IOCs YARA 4 File information Comments

SHA256 hash:	92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603
SHA3-384 hash:	e4b8750859e453873ebfe033f9dc22a61dd3a1860702a7dd65ed56dbb3cb853685e8f5198e4cc96054513be94e0f7ab3
SHA1 hash:	198b3ea699183d292e95748300acc176773f6834
MD5 hash:	8903a3a26cd448747ae51dc64e359211
humanhash:	maine-georgia-white-pennsylvania
File name:	quanto.exe.bin
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	4'863'302 bytes
First seen:	2025-03-24 18:53:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	657e40fb09b2c5e277b865a7cf2b8089 (6 x AsyncRAT, 4 x Arechclient2, 3 x DanaBot)
ssdeep	98304:MKaAh0jTZCMVjTec6LVdMi8SJblSEbWAj3FUn3v8n9VuIf9u3:/laRCMVa7dP82lSuzBkq/uIU3
Threatray	106 similar samples on MalwareBazaar
TLSH	T1A1361232A166303BE6F52AF3F550D2303D6DB3182B58C9AAC6D09C1D39685D16EF734A
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
dhash icon	b2e1b496a6cada72 (13 x LummaStealer, 12 x AsyncRAT, 8 x Rhadamanthys)
Reporter	JAMESWT_WT
Tags:	exe noexploit-net Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

464

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

general.ps1

Verdict:

Malicious activity

Analysis date:

2025-03-24 18:40:14 UTC

Tags:

evasion stealer loader arch-doc api-base64 rhadamanthys delphi hijackloader shellcode

Link:

https://app.any.run/tasks/8571e661-1024-41c0-b826-e4fdc100b560

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67e24e15acb044ea849ea491

Tags:

vmdetect delphi

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a file in the Windows subdirectories

Creating a process from a recently created file

Creating a window

Сreating synchronization primitives

Creating a file in the %AppData% subdirectories

Launching cmd.exe command interpreter

Launching a process

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context anti-vm anti-vm CAB crypto evasive expand fingerprint fingerprint installer keylogger lolbin masquerade microsoft_visual_cc overlay packed packed packer_detected remote rundll32 runonce spyeye surtr

Link:

https://www.filescan.io/uploads/67e1aa56a08e28b31da335ab/reports/4b17875f-8b3c-4d0c-b793-b1274633c5b9/overview

Verdict:

Suspicious

Labled as:

Trojan.Penguish

Link:

https://www.hybrid-analysis.com/sample/92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

Result

Verdict:

MALICIOUS

Malware family:

AsyncRAT

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/61e5b5ae-b964-4485-b6bc-4911d99c1fac

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

evad.troj

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1647401

Behaviour

Behavior Graph:

n/a

Score:

88%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2025-03-24 18:52:31 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

7 of 24 (29.17%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=slyvvsr4rimnyqj3mgxgf6ui6ya4di6x2xlifqjyjqbcsolnuybq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

251a34cd3b0a6ac0a33ba78280abd117b4650859f57ed7c2905a86f8d7f3bff7

Rhadamanthys

29d3678e7aa0187318bc83bf5e6d9ca06fc0d6a858ce006b05f7f97322051ee7

Rhadamanthys

357829b06c1c185e44efa729dd8671487a43778a3be1b6f46c7956f4d4cb49e2

Rhadamanthys

36bbc5fca6c7ebfe14b2bc077363a8173a5d87d203e2999a0c90f6fd31d6093b

Rhadamanthys

5227b0678f64770fbe06ac5afd7686f2f50d4b186b22012693ab9e87c0d2521f

Rhadamanthys

5bc044ef951c5095e4b7c094df6e54b19dfaafcd148583bb694625b7a0900f1c

Rhadamanthys

7e7f030d5c14da66fec84faf2581fef5b9001378d586c23ab48bf5399703a9d0

Rhadamanthys

a6e44787ce9ccbcf4b60bb74db99a6f1954b0404f42de69b7b3294a3597e2848

Rhadamanthys

de53f6f359af6ccc361faf2aa74690c9575b987a01f1250a6eb042cf9d4ea4af

Rhadamanthys

error

Rhadamanthys

+ 96 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250324-xj94laxpx9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Suspicious use of SetThreadContext

Executes dropped EXE

Loads dropped DLL

Detects Rhadamanthys payload

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b26dc5ed-4d09-4ff4-bb6f-1ac631e23cad

Unpacked files

SH256 hash:

92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

MD5 hash:

8903a3a26cd448747ae51dc64e359211

SHA1 hash:

198b3ea699183d292e95748300acc176773f6834

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

SH256 hash:

96139cc7dce36d4ea72e8cf7a98dffad9761f33e30cfb4aeeea13e44591b4652

MD5 hash:

6c5af7251be0226b58b4b6b9fd7d2ab2

SHA1 hash:

43b56cf3c13ae6279da554275bc88aea45bc9c12

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

SH256 hash:

381c74eee244924ea8a0d721d085b5debfbed6ae13c44c3eeff91db964132656

MD5 hash:

a05094d1b66320653ba8cec4691db8de

SHA1 hash:

37e88efe57ca8450e12a7c821e2be586c904d698

Detections:

INDICATOR_SUSPICIOUS_Binary_References_Browsers

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

SH256 hash:

d1dd52eba230c61798a5d5a3d2dd6dafd1427b86c5ffd44eb20ce0b5daa97364

MD5 hash:

1e7a8ece22826e6bf49a8041b9ddf050

SHA1 hash:

979ebd86821c752e1b7cbc79eb17e753dc5cd429

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

SH256 hash:

a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0

MD5 hash:

cabb58bb5694f8b8269a73172c85b717

SHA1 hash:

9ed583c56385fed8e5e0757ddb2fdf025f96c807

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

SH256 hash:

68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe

MD5 hash:

d4dae7149d6e4dab65ac554e55868e3b

SHA1 hash:

b3bea0a0a1f0a6f251bcf6a730a97acc933f269a

Link:

https://www.unpac.me/results/7839b70b-37ed-443f-b049-2638f860513c/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/92f15aca3c8a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
AUTH_API	Manipulates User Authorization	ADVAPI32.dll::AllocateAndInitializeSid ADVAPI32.dll::ConvertStringSecurityDescriptorToSecurityDescriptorW ADVAPI32.dll::CreateWellKnownSid ADVAPI32.dll::SetEntriesInAclW ADVAPI32.dll::SetEntriesInAclA ADVAPI32.dll::SetNamedSecurityInfoW
COM_BASE_API	Can Download & Execute components	ole32.dll::CLSIDFromProgID ole32.dll::CoCreateInstance ole32.dll::CoInitializeSecurity
SECURITY_BASE_API	Uses Security Base API	ADVAPI32.dll::AdjustTokenPrivileges ADVAPI32.dll::CheckTokenMembership ADVAPI32.dll::GetTokenInformation ADVAPI32.dll::IsWellKnownSid ADVAPI32.dll::SetSecurityDescriptorDacl ADVAPI32.dll::SetSecurityDescriptorGroup
SHELL_API	Manipulates System Shell	SHELL32.dll::ShellExecuteExW
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessW KERNEL32.dll::OpenProcess ADVAPI32.dll::OpenProcessToken KERNEL32.dll::SetProcessShutdownParameters KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryExA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleOutputCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileMappingW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::DeleteFileW
WIN_BASE_USER_API	Retrieves Account Information	KERNEL32.dll::GetComputerNameW ADVAPI32.dll::GetUserNameW ADVAPI32.dll::LookupPrivilegeValueW
WIN_BCRYPT_API	Can Encrypt Files	ADVAPI32.dll::DecryptFileW
WIN_CRYPT_API	Uses Windows Crypt API	ADVAPI32.dll::CryptAcquireContextW ADVAPI32.dll::CryptCreateHash ADVAPI32.dll::CryptGetHashParam ADVAPI32.dll::CryptHashData
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyExW ADVAPI32.dll::RegDeleteKeyW ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryInfoKeyW ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExW
WIN_SVC_API	Can Manipulate Windows Services	ADVAPI32.dll::ChangeServiceConfigW ADVAPI32.dll::ControlService ADVAPI32.dll::OpenSCManagerW ADVAPI32.dll::OpenServiceW ADVAPI32.dll::QueryServiceConfigW ADVAPI32.dll::QueryServiceStatus
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample