MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5
SHA3-384 hash:	04ae7e4d7f6e328cbe367ee8534cce16e3359cc728f49a791812c6fa4c465ecdff71f191324c77a07c34818d3cb664cd
SHA1 hash:	975c36eb0442edd4d42996a3dd554ab36f95ff55
MD5 hash:	221c3bf6b4e3c355fdce087122511fe4
humanhash:	november-alanine-low-pennsylvania
File name:	dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	153'088 bytes
First seen:	2022-12-27 08:52:43 UTC
Last seen:	2022-12-27 10:31:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	94c0b269c3199cdb46193be30d20c93b (1 x Rhadamanthys)
ssdeep	3072:sY8Ah6pPHmZbnjL9/LZHR29C6BoFQ9QQMb7d2Y+lO662kosOgl7A8lhOlAETZeiS:h8AhKvmZbjL9/lHR29vkQ9lMUSnbOgl7
Threatray	17'327 similar samples on MalwareBazaar
TLSH	T18EE3F1E96033803CDBC9067A99540B912FF03DB68720BB677D1CA4627FB53BF98590A5
TrID	30.2% (.EXE) Win64 Executable (generic) (10523/12/4) 18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 14.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.9% (.EXE) Win32 Executable (generic) (4505/5/1) 5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

246

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5

Verdict:

Malicious activity

Analysis date:

2022-12-27 08:55:40 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fb8dc97e-d4de-4688-99e8-12c72df6cdd5

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.Variant.Lazy.277215.7811.25364.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending an HTTP GET request

Creating a file in the %AppData% directory

Launching a process

Deleting a recently created file

Reading critical registry keys

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Forced system process termination

Stealing user critical data

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

shell32.dll

Link:

https://www.filescan.io/uploads/63aab27240e878e304204f59/reports/6ec1bd23-0965-4dea-8e8b-edb1bee70a42/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c5c822c6-c833-40e3-89e4-4214bca36928

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/1141438

Signature

Antivirus detection for URL or domain

Hides threads from debuggers

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5/

Threat name:

Win32.Trojan.RealProtect

Status:

Malicious

First seen:

2022-12-22 18:25:53 UTC

File Type:

PE (Exe)

AV detection:

23 of 26 (88.46%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3sqwudt33rewr4myrqwtrwythihhilw7oawjeo2pji6c6o62vt2q._file

Verdict:

malicious

Rhadamanthys

2f5adcd21b56b7a72adadb73a7d29ea9158a1b10cf02be624f60f41a3b1fce0d

Rhadamanthys

3aa290b067cbd23d42481b61c74ae57834293f9da2e8461e3df6e0629aecb597

Rhadamanthys

590420a09891c0a91ecdc29942328e707cc3f0243f5c9907c96150eb15fe1052

Rhadamanthys

8028f15755497e60af4f15e0b7171423a5ab31c12b529a0f17807d840665d177

Rhadamanthys

c0178dc0e1f125da7b6bab419edc783fdff63a376019140e086e6bc10ec588bd

Rhadamanthys

dabdfc50cc2a6bc20b098b7feee83bedf463d58e0a9f824831290acefddc703c

Rhadamanthys

dc97a6f3209e48c6b45354965214110cc515209135483152672cc73f149cfbcf

Rhadamanthys

e3ac933f39d5fa387a5f844d1d29379d88c4421aa72ac4e9b50d8bc1d5b40fa4

Rhadamanthys

fc0cb0682ccc37bdd72fab5106d45ebf7fb014b15004d65d627f6e2aed0750b4

Rhadamanthys

+ 17'317 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection discovery spyware stealer

Link:

https://tria.ge/reports/221227-ktbbsshg51/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Checks installed software on the system

Loads dropped DLL

Reads user/profile data of web browsers

Blocklisted process makes network request

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5

MD5 hash:

221c3bf6b4e3c355fdce087122511fe4

SHA1 hash:

975c36eb0442edd4d42996a3dd554ab36f95ff55

Link:

https://www.unpac.me/results/798e7fb5-4daa-4bf5-9db3-1a3747c96db6/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/dca16a0e7bdc/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/dca16a0e7bdc4968f1988c2d38db133a0e742edf702c923b4f4a3c2f3bdaacf5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample