MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3
SHA3-384 hash: d17b4004e662a55b15ec9581a98dcf1f2f433ab6bdb7e1fa05243fd54a7ee0401145861b5fa56f91dcfd00c789109490
SHA1 hash: 09a6b465040e08223dd96dae85cd50cea28706b9
MD5 hash: 2173293fd71b02ebb90e2099f5fd7f8c
humanhash: maine-magnesium-colorado-blue
File name:DHL Original Document.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'792'544 bytes
First seen:2023-02-07 17:13:18 UTC
Last seen:2023-02-07 18:40:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7a7a9ac40cd670433b285ea5ed2b1d4d (1 x Formbook, 1 x Rhadamanthys, 1 x AgentTesla)
ssdeep 49152:F5V13B+RU5cmaJeDlNIcinp8iFGv7WG6fp88:vVeIcEDxin5GjWG6fT
TLSH T17F85BF5C6378FC5CD01E8AB6D855EA97C01E14B53235016F48EF29FAB7A2B48C5B09CB
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4d2d1c9c8d8c8f9 (3 x AgentTesla, 3 x Rhadamanthys, 1 x Formbook)
Reporter abuse_ch
Tags:DHL exe Rhadamanthys signed

Code Signing Certificate

Organisation:www.walmart.com
Issuer:GlobalSign RSA OV SSL CA 2018
Algorithm:sha256WithRSAEncryption
Valid from:2022-03-30T08:10:55Z
Valid to:2023-05-01T08:10:54Z
Serial number: 3b9e882c443ea4c38a99b2b9
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: a14ca82b2cda430cf84d250dd686128c76f01d3f4424b25ed95de82ac4bdcdf4
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
206
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DHL Original Document.exe
Verdict:
Malicious activity
Analysis date:
2023-02-07 17:17:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/cc097774-1f5d-4772-b5e6-52f63fc5b71c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/361508/
Detection(s):
SecuriteInfo.com.Variant.Zusy.448838.27042.27864.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Creating a file
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/66164/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
EvasionGetTickCount
Verdict:
No Threat
Threat level:
  2/10
Confidence:
83%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e286de696b2d97257583a3/reports/dd4ea3c9-6070-4a6a-8c77-0d9d95fd4c10/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/0a4849f1-f86a-4d9e-a120-93626816a04a
Result
Threat name:
AgentTesla, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1167947
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Early bird code injection technique detected
Encrypted powershell cmdline option found
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 800738 Sample: DHL Original Document.exe Startdate: 07/02/2023 Architecture: WINDOWS Score: 100 98 Snort IDS alert for network traffic 2->98 100 Multi AV Scanner detection for dropped file 2->100 102 Multi AV Scanner detection for submitted file 2->102 104 14 other signatures 2->104 10 DHL Original Document.exe 10 2->10         started        15 Lefexi kevig merikofa vicen betajeyo reyi kitah few.exe 9 2->15         started        process3 dnsIp4 94 cwvwctkiprmy8mh9a2xmdc1uifi.tgp6khk6nfmuwpfbn42pxzqlaxja4 10->94 68 Lefexi kevig merik... reyi kitah few.exe, PE32 10->68 dropped 70 Lefexi kevig merik...exe:Zone.Identifier, ASCII 10->70 dropped 148 Self deletion via cmd or bat file 10->148 17 Lefexi kevig merikofa vicen betajeyo reyi kitah few.exe 8 10->17         started        22 cmd.exe 1 10->22         started        24 schtasks.exe 1 10->24         started        96 cwvwctkiprmy8mh9a2xmdc1uifi.tgp6khk6nfmuwpfbn42pxzqlaxja4 15->96 72 C:\Users\user\AppData\Local\...\7288203.dll, PE32 15->72 dropped 150 Writes to foreign memory regions 15->150 152 Allocates memory in foreign processes 15->152 154 Injects a PE file into a foreign processes 15->154 26 ngentask.exe 2 15->26         started        28 fontview.exe 15->28         started        30 WerFault.exe 15->30         started        32 WerFault.exe 15->32         started        file5 signatures6 process7 dnsIp8 74 192.168.2.1 unknown unknown 17->74 76 cwvwctkiprmy8mh9a2xmdc1uifi.tgp6khk6nfmuwpfbn42pxzqlaxja4 17->76 62 C:\Users\user\AppData\Local\...\7284375.dll, PE32 17->62 dropped 122 Writes to foreign memory regions 17->122 124 Allocates memory in foreign processes 17->124 126 Injects a PE file into a foreign processes 17->126 34 fontview.exe 17->34         started        37 ngentask.exe 15 2 17->37         started        40 WerFault.exe 17->40         started        42 WerFault.exe 17->42         started        128 Uses ping.exe to check the status of other devices and networks 22->128 44 PING.EXE 1 22->44         started        46 conhost.exe 22->46         started        48 chcp.com 1 22->48         started        50 conhost.exe 24->50         started        78 svcnc.com 26->78 80 mail.svcnc.com 26->80 82 2 other IPs or domains 26->82 130 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 26->130 132 Tries to steal Mail credentials (via file / registry access) 26->132 134 Tries to harvest and steal browser information (history, passwords, etc) 26->134 file9 signatures10 process11 dnsIp12 106 Query firmware table information (likely to detect VMs) 34->106 108 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 34->108 110 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 34->110 120 6 other signatures 34->120 52 dllhost.exe 34->52         started        84 api4.ipify.org 64.185.227.155, 443, 49697, 49698 WEBNXUS United States 37->84 86 svcnc.com 38.135.39.185, 49699, 49700, 587 ASN-DISUS United States 37->86 90 2 other IPs or domains 37->90 112 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->112 114 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 37->114 116 May check the online IP address of the machine 37->116 118 Tries to steal Mail credentials (via file / registry access) 37->118 88 127.0.0.1 unknown unknown 44->88 signatures13 process14 signatures15 136 System process connects to network (likely due to code injection or exploit) 52->136 138 Early bird code injection technique detected 52->138 140 Tries to harvest and steal browser information (history, passwords, etc) 52->140 142 2 other signatures 52->142 55 dllhost.exe 52->55         started        process16 dnsIp17 92 transfer.sh 144.76.136.153, 443, 49716, 49717 HETZNER-ASDE Germany 55->92 64 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 55->64 dropped 66 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 55->66 dropped 59 Library.exe 55->59         started        file18 process19 signatures20 144 Machine Learning detection for dropped file 59->144 146 Encrypted powershell cmdline option found 59->146
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-02-06 17:09:26 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
19 of 26 (73.08%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uo3wirg3q6cwy3zo6mtplupsyitreil2unwtnpcy7jlvzq52dpjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:rhadamanthys collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230207-vrz79agb3s/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
AgentTesla
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
355d6076310525e8e1e3c7d41f4028d754596fe848773a520c981e2e9041d159
MD5 hash:
6ec6adeea27475f295d64af8bb334e6d
SHA1 hash:
00330c6dcbfed48f118363f01ac4919106c8112f
Link:
https://www.unpac.me/results/9d762c77-e3cf-4b33-90ab-5452b8b7a41f/
SH256 hash:
a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3
MD5 hash:
2173293fd71b02ebb90e2099f5fd7f8c
SHA1 hash:
09a6b465040e08223dd96dae85cd50cea28706b9
Link:
https://www.unpac.me/results/9d762c77-e3cf-4b33-90ab-5452b8b7a41f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a3b76444db87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Rhadamanthys

Executable exe a3b76444db87856c6f2ef326f5d1f2c22712217aa36d36bc58fa575cc3ba1bd3

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/361508/

Comments