MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702
SHA3-384 hash: eb100cc1a50a3dfff393f240ea4877070fea99a314d1a5fe71f961e894948a7079888f5add593101378358f3020e3c8c
SHA1 hash: 9decc9eaeed3cf309c504a3d386bf8bb7b71a4ac
MD5 hash: afeb268e3d12ec1fd5c8e948fd11ceae
humanhash: eighteen-don-may-montana
File name:file.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'840'799 bytes
First seen:2025-02-17 08:21:04 UTC
Last seen:2025-02-19 12:02:24 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 1536:PNQNfQ+WRLyMNQNfQ+WRLyMNQNfQ+WRLyMNQNfQ+WRLyu26vgn00oR/S7rEmamY8:sigp
TLSH T1C0665AAC5FCC30A0FC09A6519AB6BC7B527235F745F265090324BE951F92F7EAB804D8
Magika powershell
Reporter JAMESWT_WT
Tags:185-196-11-201 booking lundkimuchili ps1 Rhadamanthys Spam-ITA

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Other.Malware-gen.18022.24779.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67b2f27ba0fd713c335b61f3
Tags:
vmdetect
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive lolbin obfuscated obfuscated packed persistence schtasks
Link:
https://www.filescan.io/uploads/67b2f1891195447a80c47d88/reports/d9471cbd-3bf9-4ee5-97e0-d8a7ea4cc9e3/overview
Verdict:
Suspicious
Labled as:
PowerShell/Agent.CGZ trojan
Link:
https://www.hybrid-analysis.com/sample/b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702
Result
Verdict:
UNKNOWN
Result
Threat name:
PureLog Stealer, RHADAMANTHYS, zgRAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1616836
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Deletes itself after installation
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: HackTool - CACTUSTORCH Remote Thread Creation
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected PureLog Stealer
Yara detected RHADAMANTHYS Stealer
Yara detected zgRAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1616836 Sample: file.ps1 Startdate: 17/02/2025 Architecture: WINDOWS Score: 100 69 hotelfebi2025.blogspot.com 2->69 71 shed.dual-low.s-part-0017.t-0009.t-msedge.net 2->71 73 3 other IPs or domains 2->73 81 Suricata IDS alerts for network traffic 2->81 83 Found malware configuration 2->83 85 Malicious sample detected (through community Yara rule) 2->85 87 12 other signatures 2->87 10 powershell.exe 3 54 2->10         started        13 mshta.exe 2->13         started        15 mshta.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 signatures5 107 Creates autostart registry keys with suspicious values (likely registry only malware) 10->107 109 Creates multiple autostart registry keys 10->109 111 Creates an autostart registry key pointing to binary in C:\Windows 10->111 117 4 other signatures 10->117 19 RegSvcs.exe 10->19         started        21 RegSvcs.exe 1 1 10->21         started        23 RegSvcs.exe 2 10->23         started        33 6 other processes 10->33 113 Suspicious powershell command line found 13->113 115 Bypasses PowerShell execution policy 13->115 25 powershell.exe 13->25         started        29 powershell.exe 15->29         started        31 powershell.exe 17->31         started        process6 dnsIp7 35 mshta.exe 19->35         started        38 svchost.exe 19->38         started        40 fontdrvhost.exe 21->40         started        42 dw20.exe 23->42         started        75 blogspot.l.googleusercontent.com 142.250.186.161, 443, 49745, 49747 GOOGLEUS United States 25->75 77 bitbucket.org 185.166.143.48, 443, 49748, 49756 AMAZON-02US Germany 25->77 119 Creates autostart registry keys with suspicious values (likely registry only malware) 25->119 121 Creates multiple autostart registry keys 25->121 123 Writes to foreign memory regions 25->123 44 RegSvcs.exe 25->44         started        50 9 other processes 25->50 125 Injects a PE file into a foreign processes 29->125 127 Loading BitLocker PowerShell Module 29->127 46 conhost.exe 29->46         started        79 185.166.143.49, 443, 49900, 50025 AMAZON-02US Germany 31->79 48 conhost.exe 31->48         started        52 3 other processes 33->52 signatures8 process9 signatures10 89 Suspicious powershell command line found 35->89 54 powershell.exe 35->54         started        91 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->91 93 Checks if the current machine is a virtual machine (disk enumeration) 40->93 95 Switches to a custom stack to bypass stack traces 40->95 57 svchost.exe 44->57         started        59 dw20.exe 50->59         started        61 dw20.exe 50->61         started        63 dw20.exe 50->63         started        65 dw20.exe 50->65         started        process11 signatures12 97 Creates autostart registry keys with suspicious values (likely registry only malware) 54->97 99 Writes to foreign memory regions 54->99 101 Injects a PE file into a foreign processes 54->101 103 Loading BitLocker PowerShell Module 54->103 67 conhost.exe 54->67         started        105 Checks if the current machine is a virtual machine (disk enumeration) 57->105 process13
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702/
Threat name:
Script-PowerShell.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-02-17 08:20:38 UTC
File Type:
Text (PowerShell)
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtczo3azkuu5gquerqztceus7rtxrj44ehfr2vdmqkxrk42q44ba._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/250217-j88eeawrej/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
.NET Reactor proctector
Deletes itself
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments