MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA 13 File information Comments

SHA256 hash:	d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979
SHA3-384 hash:	87d3d8158388fe5a9fc1f0b662846d21d7418c87b2d75a1b57549cc7d321af62b49216e5645cdcb8389f6cff94823d4b
SHA1 hash:	339a4555875e0713d15a3d2dfd41264f5bdd4dac
MD5 hash:	839745b4243cd8966c252acc48d3a763
humanhash:	magazine-utah-december-oregon
File name:	839745b4243cd8966c252acc48d3a763.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	709'064 bytes
First seen:	2023-10-06 14:23:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	06ede52fcc31e4900f4f1a7060fce645 (10 x RedLineStealer, 6 x Stealc, 5 x Amadey)
ssdeep	12288:A1PTUValvZGjoLReaZjAZhGGS26NL4qo7jhrHQ0P4wD+NpU1:A1PT1l8oLAaZGGFZMqyjhMNi1
Threatray	36 similar samples on MalwareBazaar
TLSH	T1E9E49D4875859333C92C3D37247872DEE8DDDA90A757D2D343BBAFE70661AB04A32612
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

299

Origin country :

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Win32.PWSX-gen.5895.26791.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Modifying a system executable file

Delayed writing of the file

Launching a process

Сreating synchronization primitives

Launching the default Windows debugger (dwwin.exe)

Sending a custom TCP request

Forced shutdown of a system process

Infecting executable files

Unauthorized injection to a system process

Gathering data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/65201885be42b2ac8e5d9fa9/reports/0b4806ba-7cfc-48a0-a405-1599479d21d6/overview

Verdict:

Malicious

Labled as:

Fugrafa.Generic

Link:

https://www.hybrid-analysis.com/sample/d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/a43a01ee-baa5-4d22-901a-95a08c95f439

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1321035

Signature

Allocates memory in foreign processes

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-10-06 14:24:06 UTC

File Type:

PE (Exe)

AV detection:

19 of 23 (82.61%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2ry7molymmzdzut7wwbjcnz45fjl4scbbfbvtrx74ofkge4bpf4q._file

Verdict:

malicious

Rhadamanthys

29f5a8629986da0b4a353e5423fb39c505cba7c06e7aa4b5a4029c5a1669ae95

Rhadamanthys

4eb94831dc8c5d208a185b7f83469113379a05db96af352e5c0de634611050dd

Rhadamanthys

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Rhadamanthys

7de67b4ae3475e1243c80ba446a8502ce25fec327288d81a28be69706b4d9d81

Rhadamanthys

8e5f99b92349381fd772b1bdb18cce2c6595181fcad0f68de25593276d61620f

Rhadamanthys

ab3985e07195465b9a9d8c5a9959e783e2a30f6d6e7fdda3ab153de4d7fc6fe6

Rhadamanthys

b45536b641815e8e230c3519ee7b9dcb4bf186ed2f4dc73b4be00066550731aa

Rhadamanthys

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

Rhadamanthys

+ 26 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/231006-rqp44scg8y/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

bb85fc57a7ee04ecb477f71ade8b89ef8861fc05f9182014a814cd0840f277d1

MD5 hash:

fbfe64a8689a724caa7ab757ec0c5ade

SHA1 hash:

6b1b360111ea4a316293d2c4eeac2e7345707acf

Detections:

RhadamanthysLoader

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/44019954-c16c-4d86-8893-80e87774377d/

Parent samples :

fe620c22d3d3179311a5b1d616fd0048bafc4866acc03023c974487607973e0c
d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979

SH256 hash:

d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979

MD5 hash:

839745b4243cd8966c252acc48d3a763

SHA1 hash:

339a4555875e0713d15a3d2dfd41264f5bdd4dac

Link:

https://www.unpac.me/results/44019954-c16c-4d86-8893-80e87774377d/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d471f6397863/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AppLaunch Create hunting rule
Author:	iam-py-test
Description:	Detect files referencing .Net AppLaunch.exe

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	PE_Potentially_Signed_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sectigo_Code_Signed Create hunting rule
Description:	Detects code signed by the Sectigo RSA Code Signing CA
Reference:	https://bazaar.abuse.ch/export/csv/cscb/

Rule name:	win_bruteratel_syscall_hashes_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe d471f6397863323cd27fb58291373ce952be4841094359c6ffe38aa313817979

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2717098/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample