MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317
SHA3-384 hash: fce45048780af79e077039c705ae20ea39f48371e94e73e5ac4ce0ad026f5b2621369bc80a927bff6d110f08095006bc
SHA1 hash: d33265591eedddf7d7af5a932bc8e4e4a2229e6c
MD5 hash: d384b4d1d761853f01257a96d02e8300
humanhash: berlin-ink-carpet-single
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'266'008 bytes
First seen:2023-01-30 08:30:54 UTC
Last seen:2023-01-30 08:33:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 239d5cfa179b7a37d130bb94fad45e2e (2 x Rhadamanthys)
ssdeep 98304:adFwHQR3l8sa3HlTKPGmrI2TpY8g26sTYlt4b8nXE:arR7a3lTKualK8g2/Tm4z
Threatray 4'747 similar samples on MalwareBazaar
TLSH T11A36522FF6DC639BDB883959C981D38028B7F4AC5A44743F487EB5A7891DE028EB0355
TrID 39.5% (.EXE) InstallShield setup (43053/19/16)
28.6% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
9.6% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 007c9e8393baaba2 (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:dwacspac.com
Issuer:Sectigo RSA Domain Validation Secure Server CA
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-15T00:00:00Z
Valid to:2023-04-15T23:59:59Z
Serial number: 80ed6736fa4d62984e5f0b916eaffd02
Thumbprint Algorithm:SHA256
Thumbprint: cd9fcbe35ed2ea33c0f420b6a883d11756f80426be7895f34da671ae50b7513f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://vk.com/doc712319849_660755011?hash=xVvGlx3AoFM2bq2u4ofm6FopEJEN7bOgZAxBLcAjvvs&dl=G4YTEMZRHE4DIOI:1675066320:smqcmvN2OOr9JztOXwzXzAEPCWZJZzX4dRYn2EWDMJD&api=1&no_preview=1#rise1

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Suspicious activity
Analysis date:
2023-01-30 08:31:43 UTC
Tags:
installer
Link:
https://app.any.run/tasks/f142b3ca-08aa-4281-bea4-1e9249444f03

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/358155/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Sending a custom TCP request
Sending an HTTP GET request
Reading critical registry keys
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Detecting VM
DNS request
Launching a process
Creating a file in the %temp% subdirectories
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/63947/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
CPUID_Instruction
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63d78048696b2d972574e313/reports/75787654-a9ad-4f0a-b462-b5df76d99f1c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e0cf7499-8d99-4b09-91e3-650308cab004
Result
Threat name:
PrivateLoader, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1161368
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Antivirus detection for URL or domain
Checks if the current machine is a virtual machine (disk enumeration)
Creates an undocumented autostart registry key
Detected Stratum mining protocol
DLL side loading technique detected
Encrypted powershell cmdline option found
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PrivateLoader
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 794115 Sample: file.exe Startdate: 30/01/2023 Architecture: WINDOWS Score: 100 117 Snort IDS alert for network traffic 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Antivirus detection for URL or domain 2->121 123 11 other signatures 2->123 11 file.exe 9 2->11         started        16 svchost.exe 3 4 2->16         started        process3 dnsIp4 101 k8vhxqfurcvjxk4wk6wr.uzcsm0wdfd 11->101 103 192.168.2.1 unknown unknown 11->103 83 C:\Users\user\AppData\Local\...\7124875.dll, PE32 11->83 dropped 151 Writes to foreign memory regions 11->151 153 Allocates memory in foreign processes 11->153 155 Injects a PE file into a foreign processes 11->155 18 fontview.exe 1 11->18         started        23 ngentask.exe 26 11->23         started        25 ngentask.exe 11->25         started        27 ngentask.exe 11->27         started        29 WerFault.exe 16->29         started        31 WerFault.exe 16->31         started        file5 signatures6 process7 dnsIp8 89 109.206.243.168, 49711, 49712, 49713 AWMLTNL Germany 18->89 69 C:\Users\user\AppData\...\nsis_uns6d3b80.dll, PE32+ 18->69 dropped 133 Query firmware table information (likely to detect VMs) 18->133 135 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 18->135 137 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->137 147 3 other signatures 18->147 33 rundll32.exe 18->33         started        91 ipinfo.io 34.117.59.81, 443, 49697 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->91 93 188.114.96.3, 443, 49699, 49700 CLOUDFLARENETUS European Union 23->93 95 d-rise.cc 188.114.97.3, 443, 49698, 49701 CLOUDFLARENETUS European Union 23->95 71 C:\Users\user\AppData\Local\...\softokn3.dll, PE32 23->71 dropped 73 C:\Users\user\AppData\Local\Temp\...\nss3.dll, PE32 23->73 dropped 75 C:\Users\user\AppData\Local\...\mozglue.dll, PE32 23->75 dropped 77 C:\Users\user\AppData\Local\...\freebl3.dll, PE32 23->77 dropped 139 Tries to steal Mail credentials (via file / registry access) 23->139 141 Tries to harvest and steal browser information (history, passwords, etc) 23->141 143 DLL side loading technique detected 23->143 36 WerFault.exe 24 9 23->36         started        145 May check the online IP address of the machine 25->145 file9 signatures10 process11 signatures12 109 System process connects to network (likely due to code injection or exploit) 33->109 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 33->111 113 Tries to steal Mail credentials (via file / registry access) 33->113 115 4 other signatures 33->115 38 dllhost.exe 14 6 33->38         started        43 WerFault.exe 33->43         started        process13 dnsIp14 97 transfer.sh 144.76.136.153, 443, 49714, 49715 HETZNER-ASDE Germany 38->97 79 C:\Users\user\AppData\Local\...\Library.exe, PE32+ 38->79 dropped 81 C:\Users\user\AppData\Local\Temp\Data.exe, PE32+ 38->81 dropped 149 System process connects to network (likely due to code injection or exploit) 38->149 45 Library.exe 38->45         started        49 Data.exe 1 6 38->49         started        file15 signatures16 process17 file18 85 C:\Users\user\AppData\Roaming\...\AppSvc.exe, PE32+ 45->85 dropped 157 Hijacks the control flow in another process 45->157 159 Machine Learning detection for dropped file 45->159 161 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 45->161 169 2 other signatures 45->169 51 MSBuild.exe 45->51         started        54 powershell.exe 45->54         started        87 C:\Users\user\AppData\...\IntelSvc.exe, PE32+ 49->87 dropped 163 Creates an undocumented autostart registry key 49->163 165 Encrypted powershell cmdline option found 49->165 167 Writes to foreign memory regions 49->167 56 powershell.exe 49->56         started        58 InstallUtil.exe 49->58         started        signatures19 process20 dnsIp21 125 Writes to foreign memory regions 51->125 127 Allocates memory in foreign processes 51->127 129 Modifies the context of a thread in another process (thread injection) 51->129 131 Injects a PE file into a foreign processes 51->131 61 SMSvcHost.exe 51->61         started        65 conhost.exe 54->65         started        67 conhost.exe 56->67         started        99 45.159.189.105, 49719, 80 HOSTING-SOLUTIONSUS Netherlands 58->99 signatures22 process23 dnsIp24 105 pool-fr.supportxmr.com 141.94.96.71, 49720, 8080 DFNVereinzurFoerderungeinesDeutschenForschungsnetzese Germany 61->105 107 pool.supportxmr.com 61->107 171 Query firmware table information (likely to detect VMs) 61->171 signatures25 173 Detected Stratum mining protocol 105->173
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 08:31:09 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
11 of 26 (42.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vqx4vxxb3aqjvwov6occaifnwpwiduf5bp4xpjzg5wxm7utkymlq._file
Verdict:
malicious
Similar samples:
2be47a55c0d9a863fb620ba88c0c276c2f97fa775eaa435c20d8065af267784e
Rhadamanthys
5866f921e4e7d2eef8693f9fefb19ccd46224c02bb46dd51639d8680de185a40
Rhadamanthys
591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1
Rhadamanthys
84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f
Rhadamanthys
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Rhadamanthys
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
Rhadamanthys
ee8ea5570b0a2c9f6aef8e551cc0d3fbd0be45dc5c11c50ca7056eef2d85d77d
Rhadamanthys
f92b81ca5eebd6f7fb97f0c94d92874c97d738db54887421b82cade3a4be90cd
Rhadamanthys
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
Rhadamanthys
+ 4'737 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:privateloader family:rhadamanthys loader stealer
Link:
https://tria.ge/reports/230130-kep7eahg35/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Detect rhadamanthys stealer shellcode
PrivateLoader
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
78d266cd214c9348c2f87e16a9d6c9c58ddd2fd1d2a2a9107560feb3ce61bce0
MD5 hash:
8ad6e7f90eb598f929578e5b037fa106
SHA1 hash:
39e48138a8e093cd209d4e26cbc064e828ab1b18
Link:
https://www.unpac.me/results/9b3d1883-f19f-4983-bc91-973821acd9a9/
SH256 hash:
ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317
MD5 hash:
d384b4d1d761853f01257a96d02e8300
SHA1 hash:
d33265591eedddf7d7af5a932bc8e4e4a2229e6c
Link:
https://www.unpac.me/results/9b3d1883-f19f-4983-bc91-973821acd9a9/
Malware family:
PrivateLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ac2fcadee1d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/ac2fcadee1d8209ad9d5f3842020adb3ec81d0bd0bf977a726edaecfd26ac317

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/358155/

Comments