MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203
SHA3-384 hash: d4239ec44516cd22a7e4c477cd0edb15888d76ceeef10240acc6591124fe83269c88b301fc8e3109cc7f1671d63cf65d
SHA1 hash: 66ded32620fc9c79a4e8405f0ec154eb49ed954d
MD5 hash: d6de04a1b709e5e742c09eeef93acffd
humanhash: ohio-october-angel-ink
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'729'464 bytes
First seen:2023-03-11 18:35:30 UTC
Last seen:2023-03-11 20:28:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 533c5409968cfac36437ac5835c4d83f (7 x Rhadamanthys, 1 x Adware.Generic)
ssdeep 49152:ji7LSfrmN1v2FOOzNRv5CZutNaLHTdMX3AXtGvv3lCwTmLcI9HZ+MA:G3Sff3l7+TA
Threatray 235 similar samples on MalwareBazaar
TLSH T15C85D0F1FDC998A6D75B0B3E28CEDD07A06297249A33E092D94C956EC71D143FA26331
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 0d336151d959a79f (1 x Rhadamanthys)
Reporter andretavare5
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:*.deviantart.com
Issuer:Amazon RSA 2048 M02
Algorithm:sha256WithRSAEncryption
Valid from:2023-02-20T00:00:00Z
Valid to:2023-11-24T23:59:59Z
Serial number: 0c7d77e829c56a8aa5ddaa98ef2d111f
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 1f105e4d7ce3ac3cb1c138f039e0df08aaf36cdc401f790bcd5876f68f432750
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from http://179.43.175.11/ape2.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
260
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2023-03-11 18:37:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/e3e34749-9932-4461-a78c-030a0e1f7cae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/373607/
Detection(s):
SecuriteInfo.com.Trojan-Ransom.Cerber.22913.5373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/72714/overview
Behaviour
MalwareBazaar
CPUID_Instruction
MeasuringTime
SystemUptime
EvasionGetTickCount
CheckCmdLine
EvasionQueryPerformanceCounter
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/640cca13b65c45d06f7396f0/reports/8e58486e-0434-4ed0-9640-f1ef0f40f80d/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Mustang Panda
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7584ad1e-0d29-48dc-99cf-fb4f2731cb21
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
evad.rans.phis.troj.spyw.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1191782
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
DLL side loading technique detected
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Overwrites Mozilla Firefox settings
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Self deletion via cmd or bat file
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes or reads registry keys via WMI
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 12337 Sample: file.exe Startdate: 11/03/2023 Architecture: WINDOWS Score: 100 139 shxkgp9m0jpqqwjrpfyiule.p79jslb9xwk3q 2->139 141 5dclbef0ajijvnv.xlyh9dad1zhppfdfccwpzmbbg 2->141 169 Snort IDS alert for network traffic 2->169 171 Multi AV Scanner detection for submitted file 2->171 173 Yara detected RHADAMANTHYS Stealer 2->173 175 7 other signatures 2->175 11 Day latoje hoquin petena piy sapay roba_goy rifeca gijalof wiler.exe 8 2->11         started        15 file.exe 10 2->15         started        17 svchost.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 129 C:\Users\user\AppData\Local\...\9380250.dll, PE32 11->129 dropped 193 Writes to foreign memory regions 11->193 195 Allocates memory in foreign processes 11->195 197 Injects a PE file into a foreign processes 11->197 22 ngentask.exe 18 11->22         started        26 fontview.exe 11->26         started        29 WerFault.exe 11->29         started        131 Day latoje hoquin ...a gijalof wiler.exe, PE32 15->131 dropped 133 Day latoje hoquin ...exe:Zone.Identifier, ASCII 15->133 dropped 199 Self deletion via cmd or bat file 15->199 201 Uses schtasks.exe or at.exe to add and modify task schedules 15->201 31 Day latoje hoquin petena piy sapay roba_goy rifeca gijalof wiler.exe 9 15->31         started        33 cmd.exe 1 15->33         started        35 schtasks.exe 1 15->35         started        37 WerFault.exe 17->37         started        39 WerFault.exe 17->39         started        41 WerFault.exe 17->41         started        143 192.168.11.1 unknown unknown 19->143 file6 signatures7 process8 dnsIp9 147 185.246.220.89, 49860, 49861, 49862 LVLT-10753US Germany 22->147 115 C:\Users\user\AppData\Local\Temp\stil2.exe, PE32 22->115 dropped 117 C:\Users\user\AppData\Roaming\...\bohx.exe, PE32 22->117 dropped 43 stil2.exe 22->43         started        47 cmd.exe 1 22->47         started        49 stil2.exe 22->49         started        58 2 other processes 22->58 177 Query firmware table information (likely to detect VMs) 26->177 179 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 26->179 181 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->181 191 4 other signatures 26->191 51 dllhost.exe 26->51         started        119 C:\Users\user\AppData\Local\...\9380734.dll, PE32 31->119 dropped 183 Writes to foreign memory regions 31->183 185 Allocates memory in foreign processes 31->185 187 Injects a PE file into a foreign processes 31->187 60 3 other processes 31->60 189 Uses ping.exe to check the status of other devices and networks 33->189 53 PING.EXE 1 33->53         started        62 2 other processes 33->62 56 conhost.exe 35->56         started        file10 signatures11 process12 dnsIp13 135 C:\Users\user\AppData\Local\...\9398218.dll, PE32 43->135 dropped 203 Machine Learning detection for dropped file 43->203 205 Writes to foreign memory regions 43->205 207 Allocates memory in foreign processes 43->207 64 ngentask.exe 43->64         started        68 fontview.exe 43->68         started        70 bohx.exe 8 47->70         started        72 conhost.exe 47->72         started        137 C:\Users\user\AppData\Local\...\9400093.dll, PE32 49->137 dropped 209 Injects a PE file into a foreign processes 49->209 80 3 other processes 49->80 211 Early bird code injection technique detected 51->211 213 Tries to harvest and steal browser information (history, passwords, etc) 51->213 215 Maps a DLL or memory area into another process 51->215 217 Queues an APC in another process (thread injection) 51->217 74 dllhost.exe 51->74         started        145 127.0.0.1 unknown unknown 53->145 76 systeminfo.exe 58->76         started        78 conhost.exe 58->78         started        82 2 other processes 58->82 file14 signatures15 process16 file17 103 C:\Users\user\AppData\...\places.sqlite.bak, SQLite 64->103 dropped 105 C:\Users\user\AppData\...\cookies.sqlite.bak, SQLite 64->105 dropped 149 Overwrites Mozilla Firefox settings 64->149 151 Tries to harvest and steal browser information (history, passwords, etc) 64->151 153 DLL side loading technique detected 64->153 84 cmd.exe 64->84         started        86 cmd.exe 64->86         started        88 cmd.exe 64->88         started        155 Query firmware table information (likely to detect VMs) 68->155 157 Writes to foreign memory regions 68->157 159 Allocates memory in foreign processes 68->159 167 3 other signatures 68->167 107 C:\Users\user\AppData\...\PsInfo64.exe, PE32+ 70->107 dropped 109 C:\Users\user\AppData\Roaming\...\PsInfo.exe, PE32 70->109 dropped 111 C:\Users\user\AppData\Roaming\...\7zxa.dll, PE32 70->111 dropped 113 4 other files (2 malicious) 70->113 dropped 161 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 70->161 163 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 76->163 165 Writes or reads registry keys via WMI 76->165 signatures18 process19 process20 90 bohx.exe 84->90         started        93 conhost.exe 84->93         started        95 conhost.exe 86->95         started        97 PsInfo.exe 86->97         started        99 PsInfo64.exe 86->99         started        101 conhost.exe 88->101         started        file21 121 C:\Users\user\AppData\...\softokn3.dll, PE32 90->121 dropped 123 C:\Users\user\AppData\Roaming\...\nss3.dll, PE32 90->123 dropped 125 C:\Users\user\AppData\Roaming\...\mozglue.dll, PE32 90->125 dropped 127 4 other files (1 malicious) 90->127 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Suspicious
First seen:
2023-03-11 18:44:44 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ze67ddmcfagizl35ejmrmpejvoo5bjymbpr27jc6mx7c54xnsibq._file
Verdict:
malicious
Similar samples:
0ca246e6325bfa1bd4aa4f743a259d4c3553a316a44665a5a21d5d5132b893c0
Rhadamanthys
22c4a9d47db8cf8183a9b91032c08e9592f37aa4e64a97e3059339698fc0e415
Rhadamanthys
22d356755eee957f75b09e389ec629da6988502275bba71cd7f600a53033ba3a
Rhadamanthys
3a156d1223d2420acadac6e2b8e9f27c4724515b4bf456fd34b4ad3aff36a8c4
Rhadamanthys
4de07012796040395015b6acfab5996cebb2099bfb362da9b303246580bc41b7
Rhadamanthys
7de5993155dddb0d9c365832842b1702b1d3a7a3a0818cc18de65ae5f3abfd15
Rhadamanthys
99cb9ea998d774a077d760f6a767660a520bc882a73195b3cd0282c2e967fb13
Rhadamanthys
e100d262ff4cd2a62a8d08244336c4d68044d00c57117833280ae2e3d8f22341
Rhadamanthys
e774b64170ea54274f9193e871da0412fa53835451f2f26277d9a474ff1ae7d5
Rhadamanthys
f0c40cd7b07913d9ed925ebc130d4263850aeb2e16c32c47214d2b5989bbf4f5
Rhadamanthys
+ 225 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230311-w8wrtscf7z/
Behaviour
Creates scheduled task(s)
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Unpacked files
SH256 hash:
49128ab5d3074f5a6dfdc1bfdc6c2dbbd48d261f78dad271af38af143167fb95
MD5 hash:
6ae69bc058377f53681ffb7765af221f
SHA1 hash:
863419dfc61f5df8d47a513bd83c9ef4e7cbe834
Link:
https://www.unpac.me/results/8bf98c74-a1a8-430b-9e1e-3768d063ca8d/
SH256 hash:
c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203
MD5 hash:
d6de04a1b709e5e742c09eeef93acffd
SHA1 hash:
66ded32620fc9c79a4e8405f0ec154eb49ed954d
Link:
https://www.unpac.me/results/8bf98c74-a1a8-430b-9e1e-3768d063ca8d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c93df18d82280c8caf7d2259163c89ab9dd0a70c0be3afa45e65fe2ef2ed9203

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:meth_stackstrings
Create hunting rule
Author:Willi Ballenthin
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/373607/
  
URLhaus
https://urlhaus.abuse.ch/url/2566596/

Comments