MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA 2 File information Comments

SHA256 hash:	a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa
SHA3-384 hash:	12ec2a246b8cd2b5d74d7f303a87af01d95f483ea9112f9004d90a9a4130a2ed338ff9f5bc1e07259d8519024febf902
SHA1 hash:	3457ae59ac2fdcf4b2013b4245ebebfd22841196
MD5 hash:	38e67b1288479162d6bc93ee31a90564
humanhash:	sweet-twelve-comet-juliet
File name:	38e67b1288479162d6bc93ee31a90564.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	254'464 bytes
First seen:	2023-02-07 18:57:12 UTC
Last seen:	2023-02-07 20:48:26 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	87e1f4e32d01d5a52e605f27fd138118 (6 x RedLineStealer, 5 x Smoke Loader, 3 x RecordBreaker)
ssdeep	3072:LRvnO9N2bPgOyL/dnBYWZf354wHGXobm/JRO0LDl8ABIx8VM6Q3DTNJ3nJWPfo3:1vnptyLFBYkmXF/DHFJw8VM93DDEPfo
Threatray	4'458 similar samples on MalwareBazaar
TLSH	T15E44E1333AE0C4B3C5AB21346820DAA56BBFB8315578894B7BA4C7ED9F302D15732756
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	916a6e6a6a6a6a60 (15 x RedLineStealer, 14 x Smoke Loader, 5 x RecordBreaker)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

38e67b1288479162d6bc93ee31a90564.exe

Verdict:

Malicious activity

Analysis date:

2023-02-07 19:04:26 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4f641841-997d-4d38-95a5-0d900eea12db

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/361569/

Detection(s):

SecuriteInfo.com.Win32.CrypterX-gen.12242.19349.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Launching the default Windows debugger (dwwin.exe)

Reading critical registry keys

Searching for the window

Forced system process termination

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/63e29f3c96add6d1cf49f674/reports/bce035c2-8096-414a-86d7-878d9226dc5b/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Cobalt Strike

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/b134e935-5686-4f01-acbf-f961a020be16

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1168039

Signature

Antivirus detection for URL or domain

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found API chain indicative of debugger detection

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa/

Threat name:

Win32.Trojan.Raccoon

Status:

Malicious

First seen:

2023-02-07 18:58:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ukxcduhdorw5a2wcwhdjkf67mdrztdknhw2h2zk3dqavas52egva._file

Verdict:

malicious

Rhadamanthys

5bcc3350acdf3027e32cba242e4f9441346be114d353313e16e9a973bd431f97

Rhadamanthys

64d1d03c3378be695f30daea3877b732f662fc453dcd03af0f7990467c698a8f

Rhadamanthys

68c1f88ca465c2a423a823c58fa157936edbbe9583ccfb6f4276a51f98921691

Rhadamanthys

a9acf0763805c33d4dfbdfae22e6b0209fdf4b6557dba5e3679208d23323e5a4

Rhadamanthys

aa64d1ced4e8d63e410a37fae592af152e222ee8a10bce0a364545bae3cac365

Rhadamanthys

c2ccf7cd483fc0a8d78d237ecae0ecbcf4a64efbdf9cbd412332d819eb448eea

Rhadamanthys

c992562284eafd147ee1f72c29dba9c01e892b5dd147fc5d7c6700f15a2a70fc

Rhadamanthys

+ 4'448 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection discovery spyware stealer

Link:

https://tria.ge/reports/230207-xmg7zsdc76/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

9c0bd64e8888569d9f394853aade64392c431a684452d9bc8f819dfb2d1bac1a

MD5 hash:

016615af8b3cb0a90066b3bedcf65aa9

SHA1 hash:

315dd04a70f9bcc2b62b57846dbfa79426eb5856

Link:

https://www.unpac.me/results/73a5d321-808b-454b-9e5c-84fa0530d105/

SH256 hash:

a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa

MD5 hash:

38e67b1288479162d6bc93ee31a90564

SHA1 hash:

3457ae59ac2fdcf4b2013b4245ebebfd22841196

Link:

https://www.unpac.me/results/73a5d321-808b-454b-9e5c-84fa0530d105/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a2ae21d0e374/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a2ae21d0e3746dd06ac2b1c69517df60e3998d4d3db47d655b1c01504bba21aa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.