MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb
SHA3-384 hash:	1245e631f7cf1b41fcf2e6cd04253371c4889968d1240a02c17808773b838131c98ea3e21913901cdf7767c4d1494fee
SHA1 hash:	892f78270e4f4e8c1e278e2a01ea9eebfecf3884
MD5 hash:	39ecbe7839f518ad43a73290bf278434
humanhash:	india-blue-lake-batman
File name:	39ecbe7839f518ad43a73290bf278434.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	211'456 bytes
First seen:	2023-03-01 18:50:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ab41656c48706f1fda9fa72f84547ff3 (3 x Rhadamanthys)
ssdeep	3072:jkfcpRIUgU18+G8m+6Sx0WJ0u0/5URvtz7BokhtyhN2YNj9UXezE5yVRhpuI5:jkfcNRlrEPyT/BvyhN2YWh5kr
Threatray	227 similar samples on MalwareBazaar
TLSH	T11624E109B2D18878FA9402325D748E7315FE3B6B4B30CB97776C0586AE712F5652A3D3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

187

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

redline

ID:

File name:

4f5e4565f78c0d72ca579277a021123f.exe

Verdict:

Malicious activity

Analysis date:

2023-03-01 18:36:54 UTC

Tags:

rat redline trojan amadey loader rhadamanthys

Link:

https://app.any.run/tasks/50431793-b1b8-4b60-a19f-79a6316576a4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/370904/

Detection(s):

SecuriteInfo.com.Variant.Fragtor.201439.20808.29934.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Reading critical registry keys

Stealing user critical data

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

greyware shell32.dll zusy

Link:

https://www.filescan.io/uploads/63ff9e9cbbedb8176ff206c1/reports/e92510f7-6817-4f6d-8e71-2bb97fd7ba21/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/ecb37d60-b372-4d61-a5ce-6c264f943535

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1185129

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-02-27 18:27:17 UTC

File Type:

PE (Exe)

AV detection:

25 of 39 (64.10%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=y7vvsum6b5mi5ohtondmkyxrgd3zsl5ob7tvojnojq2wcxlzjpfq._file

Verdict:

malicious

Rhadamanthys

140f170d8b83611cb8897164be174495dc51961dc34fbccc9a714917cc341b8f

Rhadamanthys

1d80b8ed824382630f9b336695f0c03670894b9a107951c74ccc5f287a3e37c6

Rhadamanthys

320bf1b89342b15959fb29c944089d8d6e3c23108cdced1c912b0ea639000ba7

Rhadamanthys

623839847e3aa9ceda27ced8b2b29b2d4545384bc3a322eaeedd04d5d04b65bd

Rhadamanthys

a9b130790783e321b1817977af11af8117662e77a246e3902479f39cba863249

Rhadamanthys

be2d86da86df489ac16c9290fd39f4b4bb577c328466f7d366bf2e1e439c620a

Rhadamanthys

f6bbb24dd6e64be591104904149bdf66a09c1b12790012e1fca1fecd3db571f2

Rhadamanthys

+ 217 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230301-xhhb7ahf67/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb

MD5 hash:

39ecbe7839f518ad43a73290bf278434

SHA1 hash:

892f78270e4f4e8c1e278e2a01ea9eebfecf3884

Link:

https://www.unpac.me/results/b763d038-b8c1-4d53-bd25-fa2aa22502e3/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/c7eb59519e0f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe c7eb59519e0f588eb8f37346c562f130f7992fae0fe75725ae4c35615d794bcb

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2554567/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/370904/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample