MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137
SHA3-384 hash:	ce53a05080c0666ccde3b95329e08a5c7c0054277b928accc32d82d52323e808e78936c456bbb1d5b0117487fab7ff2d
SHA1 hash:	f070b0a8e49b480699dc31a8cc8cc6b81b310e59
MD5 hash:	e63842ebde79ffea5af09f24fab734f6
humanhash:	whiskey-october-three-zulu
File name:	file
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	281'600 bytes
First seen:	2023-04-17 12:19:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e0d7f571370332058b298100af926d07 (2 x Tofsee, 2 x Amadey, 2 x RedLineStealer)
ssdeep	6144:omfb1t9zjxHBeim02grI6zJyapImQrSJwKk7iMA:Rf5PdBeim0LES7aGRk7i
Threatray	492 similar samples on MalwareBazaar
TLSH	T11454F121B790C836C95A41BD58209BA8BEBF78A15395815B332C3FEF6F213C15B67352
TrID	34.4% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9) 25.8% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 10.8% (.SCR) Windows screen saver (13097/50/3) 8.7% (.EXE) Win64 Executable (generic) (10523/12/4) 5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
File icon (PE):
dhash icon	401592498dcc7409 (1 x Rhadamanthys)
Reporter	jstrosch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

264

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-04-17 12:22:19 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/9db4acc6-de50-48d1-a675-8358c062ed52

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/382780/

Detection(s):

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Reading critical registry keys

Unauthorized injection to a system process

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/80049/overview

Behaviour

MalwareBazaar

SystemUptime

MeasuringTime

CPUID_Instruction

CheckCmdLine

EvasionQueryPerformanceCounter

EvasionGetTickCount

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/643d39758ecb3afce931bb7d/reports/d6bff644-fb01-458d-b54f-5224e4a82ce2/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/5cf63ac4-57e9-46ca-bf16-94bcedcb3004

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1215145

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-04-17 12:20:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zoismxfrz3hwh63tzwcwkezphbhrijs5hi3q77lehglk5nfiwe3q._file

Verdict:

malicious

Rhadamanthys

2473d2451cb6e066df31a2457c700cd9e0b1585db96716c981b3f34deffdfd26

Rhadamanthys

419600d0508516026569e661e54e5e7a5d17d47d18cb8f427932bd728d9bc743

Rhadamanthys

447102cbda0f30fdb352c94f4809d1301287bf232298760e7471dcfb718364ec

Rhadamanthys

4c8efbebe269a6ccc55f1d34531a90f1ea81c4fc834f1791b9c090e6e62338e5

Rhadamanthys

93f7b0045c564abad182d9e2006505cef3b68b4beb3a4db787332a31839fd7a0

Rhadamanthys

9891812f13690272fc0581c9b68c6fc9d0bbdb30f6715b1a5b8e2040112d811d

Rhadamanthys

b1350d4785b6b3c87ff90e62b03cd4863426c36b92340bc09996bef7a4d8750c

Rhadamanthys

c0093f55371c87e201ef12c1f98becc18dee2afab323d8d97e8605ce5a08c2d1

Rhadamanthys

+ 482 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230417-phrlvsfg31/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Accesses Microsoft Outlook profiles

Detect rhadamanthys stealer shellcode

Rhadamanthys

Malware Config

C2 Extraction:

http://179.43.142.201/img/favicon.png

Unpacked files

SH256 hash:

1797d67afc3879e8f47e41f157a56268a4a615f3e9b1e40c0b187a7915ee4107

MD5 hash:

9f086efa5c76a33e52fd2c925de924d3

SHA1 hash:

959399bcdd9e81bdb546f9559514dfad357f1361

Link:

https://www.unpac.me/results/ada4eed3-4822-4fdb-b203-01fd518df533/

SH256 hash:

cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137

MD5 hash:

e63842ebde79ffea5af09f24fab734f6

SHA1 hash:

f070b0a8e49b480699dc31a8cc8cc6b81b310e59

Link:

https://www.unpac.me/results/ada4eed3-4822-4fdb-b203-01fd518df533/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cb91265cb1ce/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cb91265cb1cecf63fb73cd8565132f384f14265d3a370ffd643996aeb4a8b137

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.