MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa
SHA3-384 hash: d09affcbe69c5f11f29a156368b6219f88284f63ae12d722de33a1ae1fceb6cf0a6bc174087e05ae7aa28bb3593134a3
SHA1 hash: f39f818292e2a71dc644309ada01f8aafcd0b64e
MD5 hash: bad32fa44e8c0aac24af7194ef9cf8b0
humanhash: kilo-yankee-massachusetts-johnny
File name:discussiontelecommunications.bin
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:726'528 bytes
First seen:2023-07-19 03:36:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:GfISclry0iJCNO7Pi9+g+MeHkxOCUHzRAiSXN2F+VHKLxEwyENwobBqfzI1/8SbK:+IobPI+g+uMCUKiSXxPS2f2wV+gjTx
Threatray 140 similar samples on MalwareBazaar
TLSH T189F4D5037B9686A2E2595736DDAF4C04C361EDA3722BE70F758E339904433AB9D4960F
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter JAMESWT_WT
Tags:exe FruitMiX Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ea866afe65a766382b74e99544fda1af.exe
Verdict:
Malicious activity
Analysis date:
2023-07-18 12:56:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/264e93e1-afb8-49be-8e73-edb08123164b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/424424/
Detection(s):
SecuriteInfo.com.Win32.RATX-gen.6456.17476.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control lolbin masquerade packed replace
Link:
https://www.filescan.io/uploads/64b75a6087b3dbad8aad1eac/reports/b83bf132-50c3-465c-8ec5-19edc79e9bc6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/269a0f45-c738-43ed-b7d6-e20197138ff8
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1275611
Signature
Antivirus / Scanner detection for submitted sample
Deletes itself after installation
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-07-18 12:55:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
17 of 25 (68.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcahnplnfhsae4tsufo6lqitg5si2rmlgocfkqzi5uyx6vo6ygva._file
Verdict:
malicious
Similar samples:
0f0760eb43d1a3ed16b4842b25674e4d6d1239766243bac1d4c19341bb37d5b8
Rhadamanthys
114210ddeecbf5dd4320338e5a3c5a156841ae1390732a2b71e324f161e32932
Rhadamanthys
1f9608369e65dd661a77e6f7ba62ff9435061a7be179bd1602a55893e754e1cc
Rhadamanthys
23af16d3c63373e2e6789381782572f3b0d17fe7587f243a100c6123ea1e3020
Rhadamanthys
4a269414d116334ba8837a573d824a3ff46c3b7d274b7b8e3c3ffd688a2e3729
Rhadamanthys
8a049d96c7cb3586360c4936c28a543f8625ac00870a5887478eef8f2a169549
Rhadamanthys
8be2a3d913c8851bffa0a682c9fb393d614a108e142344987ff9c8712d48c8c3
Rhadamanthys
b6a1f7a46ead00ddc8691bc83782d299934ef81a8dd9517d09aadd4296120ef3
Rhadamanthys
bd213bacf745262d609025230b73d653d2ef62875f28860ea1b4d1a65f5c5cca
Rhadamanthys
fb9295be3b011faf14a3e3d382a24eb47cf8877f3fcbf2bbc598c92cf3a48181
Rhadamanthys
+ 130 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys collection stealer
Link:
https://tria.ge/reports/230719-d6gk1sgc4z/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa
MD5 hash:
bad32fa44e8c0aac24af7194ef9cf8b0
SHA1 hash:
f39f818292e2a71dc644309ada01f8aafcd0b64e
Link:
https://www.unpac.me/results/c819dac7-1e81-4e59-a066-686ab52cdacf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/988076bd6d29e4027272a15de5c11337648d458b3384554328ed317f55dec1aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/424424/

Comments