MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1
SHA3-384 hash: 6150fa3e9f2da2f3a4e8eabf1a3340fc6d7d1545aba0c5433ff276ef94709d8d3c176b435cb7ac3598de71376fd0cb07
SHA1 hash: 42b37211578e971c684b493c8b604874518652e3
MD5 hash: b629e4a76638f91a67059188d07e27f6
humanhash: hydrogen-five-vermont-red
File name:test.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:702 bytes
First seen:2024-10-08 18:49:31 UTC
Last seen:2024-10-10 17:12:52 UTC
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 12:WWfk4AFHWEj5mdVFeLLPfI4SeRQoD/4EIlQUZ9GQuOWgTThUlIeRQqpO/dXyG:v+JWI5AILPfPSvoD/JsBjVuOWAa6J/dd
TLSH T1700110C56C56AFE31040E1D228C8BA7E3232D56D44F90192B5FA6263246D57D0DD7939
Magika powershell
Reporter JAMESWT_WT
Tags:1h982d-bemostake-space 24-152-39-227 ps1 Rhadamanthys rocketdocs-lol

Intelligence

File Origin
# of uploads :
2
# of downloads :
144
Origin country :
IT IT
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.8353.31490.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dropper
Link:
https://www.filescan.io/uploads/67057edcd92ce92b9f9bb633/reports/0d95b663-e471-49c5-8e3e-cb2f56ccb359/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1
Result
Verdict:
MALICIOUS
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1529309
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell creates an autostart link
Powershell drops PE file
Sets debug register (to hijack the execution of another thread)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: Parent in Public Folder Suspicious Process
Sigma detected: Potentially Suspicious Malware Callback Communication
Sigma detected: Powershell launch regsvr32
Sigma detected: Powerup Write Hijack DLL
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1529309 Sample: test.ps1 Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 62 rocketdocs.lol 2->62 64 bg.microsoft.map.fastly.net 2->64 66 2 other IPs or domains 2->66 86 Suricata IDS alerts for network traffic 2->86 88 Found malware configuration 2->88 90 Antivirus / Scanner detection for submitted sample 2->90 92 15 other signatures 2->92 10 regsvr32.exe 1 2 2->10         started        13 powershell.exe 14 21 2->13         started        17 regsvr32.exe 2->17         started        signatures3 process4 dnsIp5 108 Sets debug register (to hijack the execution of another thread) 10->108 19 OpenWith.exe 10->19         started        76 bemostake.space 188.114.96.3, 443, 49716 CLOUDFLARENETUS European Union 13->76 78 rocketdocs.lol 188.114.97.3, 443, 49737 CLOUDFLARENETUS European Union 13->78 56 C:\Users\user\Desktop\utox_x86_x64.exe, PE32+ 13->56 dropped 58 C:\Users\Public\ajbs50ul.bat, PE32+ 13->58 dropped 110 Found many strings related to Crypto-Wallets (likely being stolen) 13->110 112 Drops PE files to the user root directory 13->112 114 Powershell creates an autostart link 13->114 116 Powershell drops PE file 13->116 23 ajbs50ul.bat 1 13->23         started        26 utox_x86_x64.exe 1 36 13->26         started        28 conhost.exe 13->28         started        80 185.196.9.174 SIMPLECARRIERCH Switzerland 17->80 82 8.8.8.8 GOOGLEUS United States 17->82 118 System process connects to network (likely due to code injection or exploit) 17->118 file6 signatures7 process8 dnsIp9 68 147.45.126.71, 3752, 49819 FREE-NET-ASFREEnetEU Russian Federation 19->68 94 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->94 96 Tries to steal Mail credentials (via file / registry access) 19->96 98 Found many strings related to Crypto-Wallets (likely being stolen) 19->98 106 2 other signatures 19->106 30 rekeywiz.exe 19->30         started        34 wmpnscfg.exe 19->34         started        36 rekeywiz.exe 19->36         started        54 C:\Users\user\AppData\Roaming\4smg.ini, PE32+ 23->54 dropped 100 Multi AV Scanner detection for dropped file 23->100 102 Suspicious powershell command line found 23->102 104 Found direct / indirect Syscall (likely to bypass EDR) 23->104 38 powershell.exe 37 23->38         started        40 regsvr32.exe 23->40         started        70 104.223.122.15 ASN-QUADRANET-GLOBALUS United States 26->70 72 192.168.2.7, 33445, 3752, 443 unknown unknown 26->72 74 23 other IPs or domains 26->74 file10 signatures11 process12 file13 60 C:\Users\user\AppData\Roaming\oSyU.ini, PE32+ 30->60 dropped 122 Suspicious powershell command line found 30->122 42 powershell.exe 30->42         started        45 regsvr32.exe 30->45         started        124 Writes to foreign memory regions 34->124 126 Allocates memory in foreign processes 34->126 47 dllhost.exe 34->47         started        128 Loading BitLocker PowerShell Module 38->128 50 conhost.exe 38->50         started        signatures14 process15 dnsIp16 120 Loading BitLocker PowerShell Module 42->120 52 conhost.exe 42->52         started        84 46.29.238.96 EUROTELECOM-ASRU Russian Federation 47->84 signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1/
Threat name:
Script-PowerShell.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-10-08 18:50:04 UTC
File Type:
Text (PowerShell)
AV detection:
14 of 38 (36.84%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtnl7bclz3vvwh5ejbkjonjjnnf56ke7grxzmari2uvhucpdl2qq._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys execution stealer
Link:
https://tria.ge/reports/241008-xgw4ysxfmh/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4dabf844bceeb5b1fa448549735296b4bdf289f346f960228d52a7a09e35ea1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments