MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 4 File information Comments

SHA256 hash:	98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff
SHA3-384 hash:	edca7c8d7fcf506d6f53ca937b9cacdf5466a5b09cbf41033263293f28e8262e13fe416634275b107464cf0651888078
SHA1 hash:	6ea8efc12ed24f00eb0f230dfec026a6816ba696
MD5 hash:	e1bece7ba20dbb8100100f8cff2c415d
humanhash:	berlin-stream-robert-river
File name:	e1bece7ba20dbb8100100f8cff2c415d.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	447'488 bytes
First seen:	2024-05-23 18:14:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	be49a2411263045f8ee0c442783b5f83 (6 x Rhadamanthys)
ssdeep	6144:A2qezd2ab1/RuHk+M3k8M3W7XomjOJCqshrOlumY6DMIewgxQfqksb:Af2R/EEkCQFYDwRqv
Threatray	125 similar samples on MalwareBazaar
TLSH	T15294238FB69B5424DD3626F3DE6652383B1574580B460EFF9E7B6D20A010FA94E28F03
TrID	52.9% (.EXE) Win32 Executable (generic) (4504/4/1) 23.5% (.EXE) Generic Win/DOS Executable (2002/3) 23.5% (.EXE) DOS Executable Generic (2000/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

335

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff.exe

Verdict:

No threats detected

Analysis date:

2024-05-19 09:59:53 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/78bb0116-62ef-4ecd-9215-8ebc56961c0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Zusy-10024420-0

Verdict:

Malicious

Score:

93.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=664f87c802cf134c1c7f8701win10vpnfull_triage

Tags:

Encryption Variant

Result

Verdict:

Malware

Maliciousness:

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

overlay rhadamanthys zbot zusy

Link:

https://www.filescan.io/uploads/664f876f458fabe8a9571704/reports/bb5ad2b7-5ddd-46c1-a68a-7062ecc7fb38/overview

Verdict:

Malicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/ad9df3f4-2b15-4283-8605-f91ef586f66b

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1446715

Signature

.NET source code contains potential unpacker

AI detected suspicious sample

Antivirus / Scanner detection for submitted sample

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff/

Threat name:

Win32.Trojan.Rhadamanthys

Status:

Malicious

First seen:

2024-05-17 23:49:58 UTC

File Type:

PE (Exe)

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=tckcucx7vfzbzefqs7bmnkonakkzdbksnq5xurbxpis3euvbn77q._file

Verdict:

malicious

Rhadamanthys

327ca53611ed8d7b370367c83da4de648368a82d75d385639165f4f8f4ac510e

Rhadamanthys

35ed65d9919843300db648bf93ae57d7330095eb1ce18d6c6050db88a2e4f297

Rhadamanthys

52038c38dc147fbb2ae03a8569cf07cb2d1d29c14d7fa30215757afd3076c89a

Rhadamanthys

5578a78576a35a6a95c8a5372e7d498fd4d2a4d5d7abe7369a14307d578192c6

Rhadamanthys

cade479a0b203af759b0f82c80d4b95ca46abe3a4f665f365953eb5e25fe9284

Rhadamanthys

+ 115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/240523-wvxf7sbe54/

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/29eaae7f-9011-4d6d-8b70-e35d47de37f1

Unpacked files

SH256 hash:

98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff

MD5 hash:

e1bece7ba20dbb8100100f8cff2c415d

SHA1 hash:

6ea8efc12ed24f00eb0f230dfec026a6816ba696

Link:

https://www.unpac.me/results/622b924c-77c8-41a5-92a1-70b8f16b130f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/98942a0affa9721c90b097c2c6a9cd02959185526c3b7a44377a25b252a16fff

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_getEIP_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	malware_shellcode_hash Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect shellcode api hash value

Rule name:	meth_get_eip Create hunting rule
Author:	Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::GetStartupInfoA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample