MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a
SHA3-384 hash:	e2bef3b18fe74abe9f321529f2972ae5913984d5b232f1ad61abaa33d3cee8dfe27f20b5f27a91e676c4f6ec4c1b9c0b
SHA1 hash:	263bbc9d6d2c256eca49f31203cecb652d354587
MD5 hash:	227eb8918a067c8c06505e165d641fac
humanhash:	fillet-comet-indigo-hot
File name:	227eb8918a067c8c06505e165d641fac.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	211'456 bytes
First seen:	2023-02-03 19:20:49 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ab41656c48706f1fda9fa72f84547ff3 (3 x Rhadamanthys)
ssdeep	3072:jkfcpRIUg/18+G8m+6Sx0WJ0u0/5URvtz7BokhtyhN2YNj9UXezE5yVRhpuI5:jkfcNklrEPyT/BvyhN2YWh5kr
TLSH	T1FC24E109B2D18878FA9402325D748E7315FE3B6B4B30CB97776C0986AE712F5652A3D3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

207

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

be03af81590f6a59751a755f26530da0

Verdict:

Malicious activity

Analysis date:

2023-02-03 05:49:25 UTC

Tags:

trojan rat redline amadey loader keylogger remcos

Link:

https://app.any.run/tasks/4c727532-4940-4712-9adb-70298e9de92f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/360024/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.201439.20808.29934.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Detecting VM

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/65112/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

No Threat

Threat level:

2/10

Confidence:

67%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/63dd5ea3905a5ac3b90967a0/reports/4db7304a-9477-4132-885d-f43e0e61a73d/overview

Verdict:

Malicious

Labled as:

Fragtor.Generic

Link:

https://www.hybrid-analysis.com/sample/be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c813f306-535d-4f66-ac9d-5f7216e84dbd

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1165543

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-02-03 13:11:12 UTC

File Type:

PE (Exe)

AV detection:

16 of 26 (61.54%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xywynwug35ejvqlmskip2opuws5vo7bsqrtppu3gx4xb4q44mifa._file

Verdict:

malicious

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230203-x2nnbaac52/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a

MD5 hash:

227eb8918a067c8c06505e165d641fac

SHA1 hash:

263bbc9d6d2c256eca49f31203cecb652d354587

Link:

https://www.unpac.me/results/899530ed-23e0-45fd-8460-8af0ecb19873/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/be2d86da86df/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2529331/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/360024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample