MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
SHA3-384 hash: e7032b896145e432f463271f309ce743c7dd6b3788e9736274f06c432d802c81db071bb31d96010b40f97439ea27abb7
SHA1 hash: 729830eb7053a06017062274a9b3deffa4314d41
MD5 hash: 800564a52d3834a9353b51b0fb4b5e96
humanhash: twenty-zebra-chicken-earth
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'915'440 bytes
First seen:2023-01-22 02:32:00 UTC
Last seen:2023-01-22 23:55:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 848cc806b5445d436485e2ece322aa0e (2 x Rhadamanthys, 1 x GCleaner)
ssdeep 24576:96oZfKa9OEJ4J56LXaVBf8qFQ4HqiIYV+MfpU2tFD3c1eGDGVqk8ZVjrSOP+U:96opKa9zdLXaVBf5dqir23DGckLO2U
Threatray 325 similar samples on MalwareBazaar
TLSH T1D795E015AF41C4D7C0BFF7BABAA63722642D15D1B3CBF33652B318550BB2A8446613A3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f68b0fb3b3b392d2 (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:*.ny.gov
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2022-05-10T19:56:03Z
Valid to:2023-06-11T19:56:02Z
Serial number: 27001ee704db837ea01cac4c
Thumbprint Algorithm:SHA256
Thumbprint: 6d96f30ab63928a479ae87bc9425c2eee5ae17e29dca58cdd439358dfab5e596
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://www.isurucabs.lk/SAM.exe

Intelligence

File Origin
# of uploads :
31
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-01-22 02:33:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/50ec26a2-d3c6-49ba-9d7a-3c288c3421d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355503/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
DNS request
Launching a process
Creating a file in the %temp% directory
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Sending an HTTP GET request
Creating a file in the %AppData% directory
Deleting a recently created file
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62166/overview
Behaviour
MalwareBazaar
MeasuringTime
CPUID_Instruction
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed shell32.dll
Link:
https://www.filescan.io/uploads/63cca024447edb203a002f68/reports/fc486a41-1dac-4ad2-ac9e-e0eacb985589/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/605e2caf-9e5a-4521-85b2-ff8cbd4e633c
Result
Threat name:
RHADAMANTHYS, lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156371
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Detected unpacking (creates a PE file in dynamic memory)
Encrypted powershell cmdline option found
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected lgoogLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789104 Sample: file.exe Startdate: 22/01/2023 Architecture: WINDOWS Score: 100 60 Snort IDS alert for network traffic 2->60 62 Antivirus detection for URL or domain 2->62 64 Multi AV Scanner detection for dropped file 2->64 66 8 other signatures 2->66 11 file.exe 9 2->11         started        process3 dnsIp4 58 jrkq2t6bi85cjcqnaa3czxmzq.8a5rebtcoxxexk8jryiowwoouv7 11->58 50 C:\Users\user\AppData\Local\...\6830062.dll, PE32 11->50 dropped 94 Detected unpacking (creates a PE file in dynamic memory) 11->94 96 Writes to foreign memory regions 11->96 98 Allocates memory in foreign processes 11->98 100 Injects a PE file into a foreign processes 11->100 16 fontview.exe 1 11->16         started        21 ngentask.exe 11->21         started        file5 signatures6 process7 dnsIp8 52 109.206.243.168, 49703, 49704, 49709 AWMLTNL Germany 16->52 44 C:\Users\user\AppData\...\nsis_uns6889f6.dll, PE32+ 16->44 dropped 68 Query firmware table information (likely to detect VMs) 16->68 70 Found evasive API chain (may stop execution after checking system information) 16->70 72 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 16->72 74 11 other signatures 16->74 23 rundll32.exe 16->23         started        file9 signatures10 process11 signatures12 84 System process connects to network (likely due to code injection or exploit) 23->84 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->86 88 Tries to steal Mail credentials (via file / registry access) 23->88 90 4 other signatures 23->90 26 dllhost.exe 14 5 23->26         started        31 WerFault.exe 23->31         started        process13 dnsIp14 56 transfer.sh 144.76.136.153, 443, 49708 HETZNER-ASDE Germany 26->56 48 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 26->48 dropped 92 System process connects to network (likely due to code injection or exploit) 26->92 33 Library.exe 1 6 26->33         started        file15 signatures16 process17 file18 46 C:\Users\user\AppData\Roaming\...\IGCPU.exe, PE32+ 33->46 dropped 76 Multi AV Scanner detection for dropped file 33->76 78 Creates an undocumented autostart registry key 33->78 80 Machine Learning detection for dropped file 33->80 82 5 other signatures 33->82 37 powershell.exe 16 33->37         started        39 MSBuild.exe 33->39         started        signatures19 process20 dnsIp21 42 conhost.exe 37->42         started        54 45.159.189.105, 49714, 80 HOSTING-SOLUTIONSUS Netherlands 39->54 process22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-22 02:28:40 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
15 of 26 (57.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=unk7xtr3sgqcuwz6hl42fn5w7oxz3jx52wzcmduopr5y5qob4lja._file
Verdict:
malicious
Similar samples:
2be47a55c0d9a863fb620ba88c0c276c2f97fa775eaa435c20d8065af267784e
Rhadamanthys
590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052
Rhadamanthys
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Rhadamanthys
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
Rhadamanthys
ca871a9028d80e2b3d73a8fe07b9d1628b52e0f9163402a3ab3199f512a36ab1
Rhadamanthys
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
Rhadamanthys
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
Rhadamanthys
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
Rhadamanthys
+ 315 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader family:rhadamanthys downloader stealer
Link:
https://tria.ge/reports/230122-c1ad3sgg2t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Detect rhadamanthys stealer shellcode
Detects LgoogLoader payload
LgoogLoader
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f0709ae7c29c3c4cc8b17510e9cec2793f88004acb876f872fcd3006400a8053
MD5 hash:
f15ca3a432f246cf9fa3f5298a132548
SHA1 hash:
fa9a09b7b9354053be4f1a1cb2d3296cd6913765
Link:
https://www.unpac.me/results/1ae9ce10-1a8f-4ff4-b74e-27a192e5fab0/
SH256 hash:
a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2
MD5 hash:
800564a52d3834a9353b51b0fb4b5e96
SHA1 hash:
729830eb7053a06017062274a9b3deffa4314d41
Link:
https://www.unpac.me/results/1ae9ce10-1a8f-4ff4-b74e-27a192e5fab0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a355fbce3b91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/a355fbce3b91a02a5b3e3af9a2b7b6fbaf9da6fdd5b2260e8e7c7b8ec1c1e2d2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
  
URLhaus
https://urlhaus.abuse.ch/url/2509599/
Cape
Cape
https://www.capesandbox.com/analysis/355503/

Comments