MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad
SHA3-384 hash:	db383e1af677be2c101cdb06c334dccae89aac7c25540fbafeafdc4a11fa0025fdf3f0ccdf5ce87ba70f85e1a1bc9924
SHA1 hash:	88b80bbe09e27b586924e2d82dcccef6953064ec
MD5 hash:	3dd2fb9a313653680afd33b6a327afb8
humanhash:	mobile-lactose-shade-may
File name:	3dd2fb9a313653680afd33b6a327afb8.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	5'242'880 bytes
First seen:	2023-07-31 07:25:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eca0c30b65294d02a6c6180a6b323b58 (10 x Rhadamanthys)
ssdeep	6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+f:2uWP/BZUyoLu8Agsmxwrvejkd2D
Threatray	4 similar samples on MalwareBazaar
TLSH	T16936785FDBB23E88CF8559B20820E679B36DC132ED7392867E16B5B13592256CF06D30
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

303

Origin country :

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

0e07a24a37ebcc62e68d36c7b6542dd2781c6a3f67116d783e40b17d9080477f.zip

Verdict:

Malicious activity

Analysis date:

2023-07-29 18:28:28 UTC

Tags:

rat redline amadey trojan loader kelihos opendir

Link:

https://app.any.run/tasks/dedac73a-205b-40fe-81a9-89e7907acdc7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/439370/

Detection(s):

SecuriteInfo.com.Variant.Zusy.477967.16432.31116.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

greyware overlay zusy

Link:

https://www.filescan.io/uploads/64c7620f3d0bb8484a89b45d/reports/96de5d72-db68-45e0-b4bc-26294a5add7c/overview

Verdict:

Malicious

Labled as:

Trojan.Mansabo

Link:

https://www.hybrid-analysis.com/sample/a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bcfed05c-b49b-4dc2-9c5d-2e9401723fe9

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1282977

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-07-29 12:55:57 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=u4l3v6ustcj6mtn5f7dlhdn65uxpy4yi6g6d4hvpklp4qekasgwq._file

Verdict:

malicious

Rhadamanthys

737a4e3c0bc536fddc9f55099a01736da0b5ecb543d62b55ec3f29650a1305d8

Rhadamanthys

a6d0e60e46974bcc2b95d79efe42aef131019e1a1db2f71a780c51a68cc36199

Rhadamanthys

bcf3266e8996bcdb7acb686034f264b07c228ce37f1212b663b636cc0317ee1a

Rhadamanthys

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230731-h9ja8sec4y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

a717bafa929893e64dbd2fc6b38dbeed2efc7308f1bc3e1eaf52dfc8114091ad

MD5 hash:

3dd2fb9a313653680afd33b6a327afb8

SHA1 hash:

88b80bbe09e27b586924e2d82dcccef6953064ec

Detections:

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/19730e8f-38da-4f0b-8a71-62e565b4c7de/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_bruteratel_syscall_hashes_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.