MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
SHA3-384 hash: 77ac4ef54e8afa05d8eb5a80528da00fbde04d83e4c33886874266dd15d685ec120fb977a0ebd95b4731255fca9043bf
SHA1 hash: a31b0ac14c81447b71524e2815be43d9a55ea9f1
MD5 hash: ee0a93c22584233cc9faf75b7b49bb78
humanhash: friend-august-river-music
File name:ee0a93c22584233cc9faf75b7b49bb78.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'489'984 bytes
First seen:2024-09-06 17:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b5a014d7eeb4c2042897567e1288a095 (19 x HijackLoader, 14 x ValleyRAT, 12 x LummaStealer)
ssdeep 49152:+pz3Cy3BkrhfRAXMSxDw7DDCDbNV2ZGomxwF2Nz2k+IsvOYIiPcT:+pey3BkrZRAXMwDuDeh4ZGXeUMSevI9
TLSH T164B5238033C890F1C23BC939CF5ED3521373F6B967822E9BE5592E651E539D282479E8
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10523/12/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
File icon (PE):PE icon
dhash icon c292ecd8f2f6fe1c (15 x HijackLoader, 11 x LummaStealer, 7 x Arechclient2)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
413
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PENDXGKW.exe
Verdict:
Malicious activity
Analysis date:
2024-08-29 07:03:20 UTC
Tags:
xworm pastebin remote rhadamanthys shellcode
Link:
https://app.any.run/tasks/e293360a-e1da-44e9-8875-cb2f06322652

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W32.Agent.3F9D.tr.16090.7960.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PUA.Win32.CandyOpen.23887.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66db4057f3d7ccf99f9032ca
Tags:
Encryption Execution Network Stealth Trojan
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
epmicrosoft_visual_cc fingerprint installer lolbin microsoft_visual_cc overlay packed shell32
Link:
https://www.filescan.io/uploads/66db4061452ffb4ce1a69a20/reports/a1b27dcd-481d-437e-8a80-b2267309feb3/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8c2dc71f-548e-4592-a2c6-5832bf0205e0
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1505782
Signature
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1505782 Sample: 6BIXMO2ulm.exe Startdate: 06/09/2024 Architecture: WINDOWS Score: 100 44 Found malware configuration 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 9 6BIXMO2ulm.exe 6 2->9         started        process3 file4 30 C:\Users\user\AppData\Local\Temp\dpaw.exe, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\d3dx9_43.dll, PE32 9->32 dropped 12 dpaw.exe 5 9->12         started        process5 file6 34 C:\Users\user\AppData\Roaming\...\dpaw.exe, PE32 12->34 dropped 36 C:\Users\user\AppData\...\d3dx9_43.dll, PE32 12->36 dropped 62 Switches to a custom stack to bypass stack traces 12->62 64 Found direct / indirect Syscall (likely to bypass EDR) 12->64 16 dpaw.exe 1 12->16         started        signatures7 process8 signatures9 38 Maps a DLL or memory area into another process 16->38 40 Switches to a custom stack to bypass stack traces 16->40 42 Found direct / indirect Syscall (likely to bypass EDR) 16->42 19 cmd.exe 2 16->19         started        process10 file11 28 C:\Users\user\AppData\Local\...\maatytgafhwp, PE32 19->28 dropped 52 Injects code into the Windows Explorer (explorer.exe) 19->52 54 Writes to foreign memory regions 19->54 56 Found hidden mapped module (file has been removed from disk) 19->56 58 2 other signatures 19->58 23 explorer.exe 19->23         started        26 conhost.exe 19->26         started        signatures12 process13 signatures14 60 Switches to a custom stack to bypass stack traces 23->60
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27/
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2024-08-29 20:44:00 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vwfgrmyowv7wrlcrctbu3bexpgdlrinimhvbkebhlsurgwvwtqtq._file
Verdict:
malicious
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/240906-wdfr5azdjp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
https://154.216.19.149:2047/888260cc6af8f/pnmx326i.m7ats
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/98356f22-2d3f-4e6a-b6eb-82e34bfd4233
Unpacked files
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/07c0ce51-0ec9-4439-8e32-d01dab35162f/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/07c0ce51-0ec9-4439-8e32-d01dab35162f/
SH256 hash:
1789b08ac26e58b2473a31096c5e678b89c8941797c52e10922e6459ae786680
MD5 hash:
35633596b1bc8b146bd92a598b8e2224
SHA1 hash:
c17c5c9bcd78b48764906e7908292e4e1443ad6d
Link:
https://www.unpac.me/results/07c0ce51-0ec9-4439-8e32-d01dab35162f/
SH256 hash:
7974aae690d75b2722454529f8b72aeac383e9f6a8779a69c869cc398780c49a
MD5 hash:
6c3d1310d6dabdffd721903ec7c45b27
SHA1 hash:
959bb09b7898382181ea6585aa6144e76f7d92f8
Link:
https://www.unpac.me/results/07c0ce51-0ec9-4439-8e32-d01dab35162f/
SH256 hash:
ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
MD5 hash:
ee0a93c22584233cc9faf75b7b49bb78
SHA1 hash:
a31b0ac14c81447b71524e2815be43d9a55ea9f1
Link:
https://www.unpac.me/results/07c0ce51-0ec9-4439-8e32-d01dab35162f/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ad8a68b30eb5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
SHELL32.dll::ShellExecuteW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetStartupInfoA
KERNEL32.dll::GetDiskFreeSpaceExW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetSystemDirectoryW
KERNEL32.dll::GetFileAttributesW
KERNEL32.dll::FindFirstFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments