MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a
SHA3-384 hash: 743a2dd0d12b0f1f016da9391a5292a5c8259d05ecfd33b053e5206bbad20533d32c39717c5b60f12ece7af50956496f
SHA1 hash: d7410bffdadce380f8de9d80b7ef9bca1f7f718f
MD5 hash: 02507b95893999b16316c4e5f0ab7177
humanhash: spaghetti-nitrogen-finch-summer
File name:SecuriteInfo.com.Win32.Evo-gen.18099.19752
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:597'657 bytes
First seen:2024-01-16 11:26:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ea195bf8c93901cc0697df8bcbd3b755 (2 x Rhadamanthys, 2 x Vidar, 2 x RedLineStealer)
ssdeep 12288:z1S6OsIKit3OzKTVEC0DP32co5rIQrItpoACzsW5eV5:zY6etCKTV0DD4pIoi
Threatray 36 similar samples on MalwareBazaar
TLSH T18FD47B7DC6E87AE7CB715EF0005D7B1128ED8496881BB3CBDB69C815BD873438BA4864
TrID 39.4% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
16.5% (.SCR) Windows screen saver (13097/50/3)
13.3% (.EXE) Win64 Executable (generic) (10523/12/4)
8.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
424
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
New Text Document.bin.exe
Verdict:
Malicious activity
Analysis date:
2024-01-16 19:38:50 UTC
Tags:
loader opendir ducktail hausbomber stealer stealc risepro evasion miner smoke smokeloader trojan glupteba vodkagats vidar zgrat pureminer rhadamanthys ransomware stop formbook xloader amadey botnet spyware redline xmrig pureloader purecrypter kelihos quasar fabookie lumma raccoonclipper phishing payload rat asyncrat remote
Link:
https://app.any.run/tasks/6b79a8ed-b6c9-4102-9c5d-1ed148f16f7d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/471090/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.18099.19752.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/65a6680894d1aebfb2a2da8a/reports/24a0489e-97cf-4d29-a5b9-f1829a494064/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/14798941-22fa-4d77-8924-5ad0ff8fe9c0
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1375307
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a/
Threat name:
Win32.Trojan.Privateloader
Create hunting rule
Status:
Malicious
First seen:
2024-01-16 11:27:09 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2lip5yomgryeklmppie26vcx4de545t6bebo5p6yphjvofp6qkna._file
Verdict:
suspicious
Similar samples:
03c72cfabace07b6787d2d1fd66d6d6d9a2fbcb74a827ca4ab7e59aba40cb306
Rhadamanthys
15c7ce1bc55549efc86dea74a90f42fb4665fe15b14f760037897c772159a5b5
Rhadamanthys
180914e4a9ced0e96dcdfe47be875a796d853ac1216108c97428839d257e55f5
Rhadamanthys
189051c29319fac6a96fefc8158f9d27d61a55b668f3c8e3610a48617649518f
Rhadamanthys
3a8a3be6bfb60b2b9b2d02cc6ddf57e2ff0cb001b764df199026adc4e287ec4a
Rhadamanthys
878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
Rhadamanthys
8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
Rhadamanthys
aa78693a6e988b4ef2cad9ea19dd2286f0d155efae6ffa27733036b9808ad3ad
Rhadamanthys
b0c34116121eb910abfa1b9a462b70bab59faa0800c779496fbb528f0b183b7c
Rhadamanthys
f617be25cb6b894df7c180f0ac4ac93aa26b808c2c6b69821546b29158dc2499
Rhadamanthys
+ 26 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/240116-nkejmsbeg7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f7de5ad92252bfebf40b543fff5fb02922f14f9c04b16a1fb5211f26977a44bc
MD5 hash:
e9192853b8561956a885129e425366e1
SHA1 hash:
f6507df820122e168b364e49d5c4340093663a77
Link:
https://www.unpac.me/results/29959726-1419-44c5-a98b-32eba3880e07/
SH256 hash:
d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a
MD5 hash:
02507b95893999b16316c4e5f0ab7177
SHA1 hash:
d7410bffdadce380f8de9d80b7ef9bca1f7f718f
Link:
https://www.unpac.me/results/29959726-1419-44c5-a98b-32eba3880e07/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d2d0fee1cc34/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2748782/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2743105/
Cape
Cape
https://www.capesandbox.com/analysis/471090/

Comments