MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2
SHA3-384 hash: c6c39b043e81d776b9b8b9744325e1501f9f2c768a7ab08327af316c99af0ff6a743010e46efd6bfe3cb4ce23e4d188a
SHA1 hash: cb5a45de787c34eda399a3cad64abd3b6133f514
MD5 hash: 4295dda40427af8df6738b3531d63389
humanhash: lion-kentucky-summer-freddie
File name:Obsidian_Installer_v.3.15.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:24'104'960 bytes
First seen:2024-09-09 21:36:10 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:u66L7jpW/sxwA0Ip5AGgrJmD1Y5D9xAgAmBOn4AZENqMJiaErOQtt4KgTD5v2X:uHWUxOQxZDKNfAuOri9rQtlKy
Threatray 147 similar samples on MalwareBazaar
TLSH T12D3733477CC09539D9FE5A36331AD3B91A7A3C91DBF14D9A2F5EBA3890320811269F1C
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Anonymous
Tags:exe msi Rhadamanthys signed windows

Code Signing Certificate

Organisation:Shanxi Zhongxin Huili Information Technology Co., Ltd.
Issuer:SSL.com EV Code Signing Intermediate CA RSA R3
Algorithm:sha256WithRSAEncryption
Valid from:2024-08-02T20:14:46Z
Valid to:2025-08-02T04:34:06Z
Serial number: 094e710e6df60758e083dd6c60629f9b
Thumbprint Algorithm:SHA256
Thumbprint: 60f3ff0a9068f6b18559e40568da6e6ac282c9c9b6a1a245148ed582db6d1793
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
Anonymous
part of the infostealer phishing campaign impersonating Obsidian

Intelligence

File Origin
# of uploads :
1
# of downloads :
624
Origin country :
AE AE
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.FileRepMalware.2016.10996.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66df6a8276bc4542b0494a28
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint installer lolbin masquerade shell32
Link:
https://www.filescan.io/uploads/66df6a81ac80a0110f670346/reports/62d8ac0e-adb1-4429-8256-c5db64acb342/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
57 / 100
Link:
https://www.joesandbox.com/analysis/1508298
Signature
Bypasses PowerShell execution policy
Checks if the current machine is a virtual machine (disk enumeration)
Infects executable files (exe, dll, sys, html)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1508298 Sample: Obsidian_Installer_v.3.15.exe.msi Startdate: 09/09/2024 Architecture: WINDOWS Score: 57 63 Yara detected RHADAMANTHYS Stealer 2->63 65 Yara detected Costura Assembly Loader 2->65 67 Yara detected Generic Downloader 2->67 8 msiexec.exe 501 433 2->8         started        12 msiexec.exe 5 2->12         started        process3 file4 53 C:\Users\user\...\PackageManager.UI.exe, PE32 8->53 dropped 55 C:\Program Files (x86)\...behaviorgraphitUI.dll, PE32 8->55 dropped 57 C:\Program Files (x86)\...\set-telemetry.ps1, ASCII 8->57 dropped 59 283 other files (none is malicious) 8->59 dropped 75 Infects executable files (exe, dll, sys, html) 8->75 14 msiexec.exe 1 2 8->14         started        17 msiexec.exe 8->17         started        19 msiexec.exe 8->19         started        21 msiexec.exe 8->21         started        signatures5 process6 signatures7 77 Bypasses PowerShell execution policy 14->77 79 Switches to a custom stack to bypass stack traces 14->79 23 OpenWith.exe 14->23         started        26 msiexec.exe 6 14->26         started        29 WerFault.exe 2 14->29         started        31 dllhost.exe 14->31         started        33 ngen.exe 4 4 17->33         started        35 ngen.exe 4 4 17->35         started        37 ngen.exe 4 17->37         started        39 ngen.exe 17->39         started        41 powershell.exe 18 19->41         started        process8 file9 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->69 71 Checks if the current machine is a virtual machine (disk enumeration) 23->71 73 Switches to a custom stack to bypass stack traces 23->73 61 C:\Users\user\AppData\Local\...\MSI7101.tmp, PE32 26->61 dropped 43 conhost.exe 33->43         started        45 conhost.exe 35->45         started        47 conhost.exe 37->47         started        49 conhost.exe 39->49         started        51 conhost.exe 41->51         started        signatures10 process11
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wq2goavuwubjzplcpno7ojcvb6fxqo5cfb3okbynvxao2xbbjxza._file
Verdict:
malicious
Similar samples:
08350103990b4a2c500792ff535bbda6019c06dc00e3a2c8f7d42da234f94531
Rhadamanthys
15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
Rhadamanthys
33682e861b76b0ae22b7361f5b59bb7e69b95e69480156714f01e7044408b546
Rhadamanthys
6cd031908922840ee684d3c05294e7e071b500915b760c474f22c1def0df14bc
Rhadamanthys
7ccfae8644c3bc7439b88f2dc0de06bb5082de09b0bf5e143de17487ff252224
Rhadamanthys
ad8a68b30eb57f68ac5114c34d84977986b8a1a861ea1510275ca9135ab69c27
Rhadamanthys
b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2
Rhadamanthys
d24b622ee7dc6ec0e89d9d561ce161a4336322b4d22614284810116434e66c1c
Rhadamanthys
f9ecdc4cd55f91273fef14b24c82da1b23abdcf63914ffa42749f9c3b9389453
Rhadamanthys
+ 137 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery persistence privilege_escalation stealer
Link:
https://tria.ge/reports/240909-1gfzhstcnc/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3bf1e699-781e-40b0-8268-9970037f1ce0
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b4346702b4b5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi b4346702b4b5029cbd627b5df724550f8b783ba22876e5070dadc0ed5c214df2

(this sample)

  
Delivery method
Distributed via web download

Comments