MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA File information Comments

SHA256 hash:	cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655
SHA3-384 hash:	31cf90ae92609a6c070231f27a952a6673b45c6feea3b8b5d7b8f97d4237bd1023dfe3ca88291a8657c247b59fdfc1ea
SHA1 hash:	b5686190f602449fe4db14da7a31e541d29aad49
MD5 hash:	12c9ffd6da618549ff72192b588354b1
humanhash:	pizza-michigan-oxygen-kansas
File name:	setup.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	3'404'800 bytes
First seen:	2023-03-21 01:59:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ca355b09021bdc6df9b31e9df58406c0 (9 x Smoke Loader, 5 x RedLineStealer, 5 x Rhadamanthys)
ssdeep	6144:p6UdHJVyuyJMHJKCEGoAEzIeALtJ70+p:sUdpAuyJ8KCEP8eAL70u
Threatray	315 similar samples on MalwareBazaar
TLSH	T1D4F5BF835BA07821F426CAF15E2EC6F4A60EFDD1CE6D575D22046E2F08B3162C566BD3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	1098e6f2cac2f252 (1 x Rhadamanthys)
Reporter	Chainskilabs
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

253

Origin country :

Vendor Threat Intelligence

Malware family:

smoke

ID:

File name:

file

Verdict:

Malicious activity

Analysis date:

2023-03-21 00:40:32 UTC

Tags:

loader smoke trojan amadey opendir ransomware stop stealer evasion

Link:

https://app.any.run/tasks/2cb04333-1b8b-464c-b6da-e37468ff1a0a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/376068/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Launching a process

Launching the default Windows debugger (dwwin.exe)

Verdict:

Malicious

Threat level:

10/10

Confidence:

80%

Tags:

greyware overlay packed

Link:

https://www.filescan.io/uploads/64190fa4b236355850d70fa0/reports/83302d79-0335-46c0-bbf7-bf45217b7b81/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/6a2f48a4-5b04-4b32-bcc6-46bcf1b3aee7

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1198192

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Checks if the current machine is a virtual machine (disk enumeration)

Creates processes via WMI

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Early bird code injection technique detected

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Queues an APC in another process (thread injection)

Snort IDS alert for network traffic

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655/

Threat name:

Win32.Trojan.RedLineStealer

Status:

Malicious

First seen:

2023-03-21 02:00:08 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

23 of 24 (95.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zrkrxsygfytpp42l4pswr6ivwo6lfet3vclzpzkxqdqo3gp7qzkq._file

Verdict:

malicious

Rhadamanthys

419600d0508516026569e661e54e5e7a5d17d47d18cb8f427932bd728d9bc743

Rhadamanthys

5f1a56b6cfdd55b401ee5e769a7c60ac886f02f5d425d5514e202b9e12448b87

Rhadamanthys

60b346fe162b2fc00328d09a35696cfe21f22925716d15fe9841f5fb9bc629ab

Rhadamanthys

7a78888d3616fa77722ef3e59d343db0d32e43d62b79d911ae06c9a26707da21

Rhadamanthys

8e5cce74ef320ec2ee182f1b0dee059fc63e671d3644a30e4104e87adc4a045f

Rhadamanthys

93f7b0045c564abad182d9e2006505cef3b68b4beb3a4db787332a31839fd7a0

Rhadamanthys

9891812f13690272fc0581c9b68c6fc9d0bbdb30f6715b1a5b8e2040112d811d

Rhadamanthys

a8b8116afae21d9c0edaf717611b611b78d0a097c303bfbe596ec4ead69897fe

Rhadamanthys

b1350d4785b6b3c87ff90e62b03cd4863426c36b92340bc09996bef7a4d8750c

Rhadamanthys

+ 305 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys evasion stealer

Link:

https://tria.ge/reports/230321-cez3lsad3v/

Behaviour

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Checks for VirtualBox DLLs, possible anti-VM trick

Checks system information in the registry

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Looks for VMWare Tools registry key

Enumerates VirtualBox registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Looks for VirtualBox Guest Additions in registry

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

5db892a52fbebbf0298d3b5b2cf0c3ed7f9612a9d337c56bb168be336d28cadb

MD5 hash:

2a7aaf0b7ed9af90a111dd74ad9aa1ad

SHA1 hash:

562c4849728b795a971d755e0c1af872c73aaaed

Link:

https://www.unpac.me/results/f8175905-ac32-4d2d-a3c4-3e38b333afb4/

SH256 hash:

cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

MD5 hash:

12c9ffd6da618549ff72192b588354b1

SHA1 hash:

b5686190f602449fe4db14da7a31e541d29aad49

Link:

https://www.unpac.me/results/f8175905-ac32-4d2d-a3c4-3e38b333afb4/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/cc551bcb062e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655

(this sample)

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/376068/

URLhaus

https://urlhaus.abuse.ch/url/2566098/

URLhaus

https://urlhaus.abuse.ch/url/2567063/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample