MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash:	d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a
SHA3-384 hash:	0999651e52952f6b1ed0ef804e5b3066a93fb091e7fff66c4a631e6fe7022d5bbbdb25db5d6dfbf8b3b6ea085b381cee
SHA1 hash:	9fcf5d2c36a70736285b936d2f95e67c73ace350
MD5 hash:	8fdbcd880b2db4f3a06f95a4baf5b098
humanhash:	oregon-paris-ack-eight
File name:	a456.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	3'146'888 bytes
First seen:	2023-07-20 12:00:15 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4bac5f1aa5d59044c6bd9ee6b4a263c1 (1 x Rhadamanthys)
ssdeep	49152:djUMm9gAd29FB0AVSxQlGZLs5GVkmmmmp3hLpM4tlBM6Lpe67iMio8it:in9g68tSxQl15Hh9NML657iML8it
Threatray	146 similar samples on MalwareBazaar
TLSH	T1A8E5E04522D942E4DB37B234B64C3AC5E972F8D54E64875B0FF086D60BF76A11BEA304
TrID	48.7% (.EXE) Win64 Executable (generic) (10523/12/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):
dhash icon	1fc6676565a58558 (1 x Rhadamanthys)
Reporter	Xev
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

376

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

a456.exe

Verdict:

Malicious activity

Analysis date:

2023-07-20 12:01:35 UTC

Tags:

stealer

Link:

https://app.any.run/tasks/95462ce1-8cd7-4989-bd1d-8c4497b6ebb0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/426008/

Detection(s):

SecuriteInfo.com.PWSX-gen.16027.21912.UNOFFICIAL

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

control greyware lolbin overlay packed

Link:

https://www.filescan.io/uploads/64b921ffbf0894a95b6ee560/reports/f6dffceb-2aae-4e66-8db6-23fea82e750e/overview

Verdict:

Suspicious

Labled as:

Win64/Injector.NC trojan

Link:

https://www.hybrid-analysis.com/sample/d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/7bc5432d-0821-41f8-a485-d18bec5e1530

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1276746

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to inject code into remote processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a/

Threat name:

Win64.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2023-07-20 12:01:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

13 of 25 (52.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=26jeym3kjqzyqfw4y7dnisjo2spsdn25y6zaijngensw7uulm6fa._file

Verdict:

malicious

Rhadamanthys

1184aeff512cf6da48a3c5357936da4f5488923f2327236be314d704e4cccdea

Rhadamanthys

15d2319d94150b66ce714c7bc4f524d52b9154a9a5fc2f336c744a4d56bd77d9

Rhadamanthys

59d09c8a52afad517845498cb8bcef3055f28f3b3d6e673b856f4b488f73149c

Rhadamanthys

686f9d8e29ba0fd3e4285ecd2f85716bea5be6c3b6571c955c9f6ea9274dc9cf

Rhadamanthys

bc1e4e6dd1eec20e8b6685d7e844a0ad045c0700210ef40f451e51dd9fa00910

Rhadamanthys

d850df618ed03fd518cb4c52bb09657a2eda865702a0498b965b0279ea73b362

Rhadamanthys

ebc9f697284097979e511887e40f9e1bc57fcedb2be1f37fb1ed20ee90004d93

Rhadamanthys

fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

Rhadamanthys

fee5e202497ecf3e0f2d829f11afe55c8c7f525cd08bf1d570a96e226bb0bdca

Rhadamanthys

+ 136 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230720-n6v4hsgd64/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Executes dropped EXE

Detect rhadamanthys stealer shellcode

Rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a

MD5 hash:

8fdbcd880b2db4f3a06f95a4baf5b098

SHA1 hash:

9fcf5d2c36a70736285b936d2f95e67c73ace350

Link:

https://www.unpac.me/results/a7205e52-ae6a-4365-a2f2-3f7e681c167d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Password Stealer

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d7924c336a4c338816dcc7c6d4492ed49f21b75dc7b20425a623656fd28b678a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	win_bruteratel_syscall_hashes_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/426008/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample