MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
SHA3-384 hash: e95fcb444d0aff6f07d82f956e1e1ff426e2cea7f5618b76379532e422f9a95ff470442f6ab5a0abdddc28185cfc3ed5
SHA1 hash: 14e3b625bf2572fe6c7923392774adafbbb365bb
MD5 hash: f0b6cd86a2a88851836dc68b9d6e5995
humanhash: kitten-twenty-comet-fanta
File name:c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'742'744 bytes
First seen:2023-02-06 14:25:15 UTC
Last seen:2023-02-06 16:06:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 239d5cfa179b7a37d130bb94fad45e2e (2 x Rhadamanthys)
ssdeep 24576:/svHDgmT4k5ivRI/4RelcQ/dqFR/X5YTuXzkyLP0L+YFjX1twx+ILNl5YGZx:/2Dp4umRI/Vl3VwYqXIMO+SQocNx
TLSH T13A85CF6E73E80F3CD55520F29CAF5B0AD0BF0F78294B6B69858C50EC5C6235BD8D9286
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon c4d2d1c9c8d8c8f9 (3 x AgentTesla, 3 x Rhadamanthys, 1 x Formbook)
Reporter adrian__luca
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:fandom.org
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-12-07T14:23:20Z
Valid to:2023-03-07T14:23:19Z
Serial number: 04f8b24cf429eff10222b48184d438489298
Thumbprint Algorithm:SHA256
Thumbprint: 8cb5935d88831c88522081fae67758353c1c3266bf5a6f3fd18c1179f45c613a
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
208
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
Verdict:
Malicious activity
Analysis date:
2023-02-06 14:24:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0887743-873a-4311-b77d-6b90dbd9320f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/360906/
Detection(s):
SecuriteInfo.com.Trojan.Generic.33191400.14259.25113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Creating a file
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/65798/overview
Behaviour
MalwareBazaar
CPUID_Instruction
SystemUptime
MeasuringTime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/63e10dfc96add6d1cf49c8a0/reports/45726b01-9c8e-4a55-808b-55d264f926c9/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e5195d7c-b95e-4aae-8669-c066e13284f5
Result
Threat name:
AgentTesla, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1166930
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 799701 Sample: M70iwGlFIB.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 105 Snort IDS alert for network traffic 2->105 107 Multi AV Scanner detection for dropped file 2->107 109 Multi AV Scanner detection for submitted file 2->109 111 6 other signatures 2->111 7 M70iwGlFIB.exe 10 2->7         started        12 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 9 2->12         started        process3 dnsIp4 53 ztpvx0upkzzeeo6fug.q1kza943yne2lo 7->53 45 sasa dogolaf legif... recaquik nivev.exe, PE32 7->45 dropped 47 sasa dogolaf legif...exe:Zone.Identifier, ASCII 7->47 dropped 113 Self deletion via cmd or bat file 7->113 115 Uses schtasks.exe or at.exe to add and modify task schedules 7->115 14 sasa dogolaf legifema yoyi vogot veg recaquik nivev.exe 7 7->14         started        19 cmd.exe 1 7->19         started        21 schtasks.exe 1 7->21         started        55 ztpvx0upkzzeeo6fug.q1kza943yne2lo 12->55 49 C:\Users\user\AppData\Local\...\6538390.dll, PE32 12->49 dropped 117 Writes to foreign memory regions 12->117 119 Allocates memory in foreign processes 12->119 121 Injects a PE file into a foreign processes 12->121 23 ngentask.exe 7 12->23         started        25 fontview.exe 12->25         started        27 WerFault.exe 12->27         started        29 WerFault.exe 12->29         started        file5 signatures6 process7 dnsIp8 57 ztpvx0upkzzeeo6fug.q1kza943yne2lo 14->57 51 C:\Users\user\AppData\Local\...\6528625.dll, PE32 14->51 dropped 75 Writes to foreign memory regions 14->75 77 Allocates memory in foreign processes 14->77 79 Injects a PE file into a foreign processes 14->79 31 fontview.exe 14->31         started        35 ngentask.exe 15 7 14->35         started        81 Uses ping.exe to check the status of other devices and networks 19->81 37 PING.EXE 1 19->37         started        39 conhost.exe 19->39         started        41 chcp.com 1 19->41         started        43 conhost.exe 21->43         started        59 mail.clipjoint.co.nz 23->59 61 64.185.227.155, 443, 49717 WEBNXUS United States 23->61 63 2 other IPs or domains 23->63 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->83 85 Tries to steal Mail credentials (via file / registry access) 23->85 87 Tries to harvest and steal browser information (history, passwords, etc) 23->87 file9 signatures10 process11 dnsIp12 65 109.206.243.168, 49724, 49726, 49727 AWMLTNL Germany 31->65 89 Query firmware table information (likely to detect VMs) 31->89 91 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 31->91 93 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->93 103 3 other signatures 31->103 67 mail.clipjoint.co.nz 27.54.86.236, 49716, 49718, 49719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 35->67 69 api4.ipify.org 173.231.16.76, 443, 49714 WEBNXUS United States 35->69 71 api.ipify.org 35->71 95 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->95 97 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 35->97 99 May check the online IP address of the machine 35->99 101 Tries to steal Mail credentials (via file / registry access) 35->101 73 127.0.0.1 unknown unknown 37->73 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-01-30 07:11:16 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
20 of 26 (76.92%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y4ynsbb4ww6w2qksveoowdx2ll3u2acrb5z66u3em7zo47ythaeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:rhadamanthys collection keylogger spyware stealer trojan
Link:
https://tria.ge/reports/230206-rrve8aec79/
Behaviour
Checks SCSI registry key(s)
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Looks up external IP address via web service
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
AgentTesla
Detect rhadamanthys stealer shellcode
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
7cf81826e825ba803d589bf92cd9881f3a13a4eca38105dc1b6b7f80cad9a40a
MD5 hash:
f0ea36422e87341b7e5db72436c9a823
SHA1 hash:
4bc37b75e4c729458ccbc97ee1649eabd43d3279
Link:
https://www.unpac.me/results/c94511a8-2c61-4a81-bb7e-098356b065fe/
SH256 hash:
c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809
MD5 hash:
f0b6cd86a2a88851836dc68b9d6e5995
SHA1 hash:
14e3b625bf2572fe6c7923392774adafbbb365bb
Link:
https://www.unpac.me/results/c94511a8-2c61-4a81-bb7e-098356b065fe/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c730d9043cb5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c730d9043cb5bd6d4152a91ceb0efa5af74d00510f73ef536467f2ee7f133809

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/360906/

Comments