MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f
SHA3-384 hash: 8e587ca044cafb0d40b34ea0b404e024a00532e2374bf6ed5311fbfe3c4e9555a0593eddfe4bc3a65ffefa7b8b6e6ca0
SHA1 hash: 0de4ad8f9f127c0c444bb7db4459d0977b1f6506
MD5 hash: a344b567076691b5cd838512c99bc884
humanhash: moon-salami-wisconsin-wisconsin
File name:DOC692-692692.lnk
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:9'701 bytes
First seen:2024-04-05 11:16:01 UTC
Last seen:Never
File type:Shortcut (lnk) lnk
MIME type:application/octet-stream
ssdeep 192:8z5phm3MSBfQbxE4l2g9FWV4FBno2dzSkbP43O5yrf68g493f61hVNeXkI:u5fcMS5Qb6EouFB3dzBbw3Omf68Zp9XV
TLSH T1BA129E240EF873DFD1B75C7A67D972B12553DB1AA8DC82E4244181016223952B8FAEEA
Reporter Anonymous
Tags:lnk Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
170
Origin country :
US US
Vendor Threat Intelligence
Result
Verdict:
Malicious
File Type:
LNK File - Malicious
Link:
https://app.docguard.net/decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f/results/dashboard
Payload URLs
URL
File name
https://imanikuu.com/done.txt
LNK File
Behaviour
BlacklistAPI detected
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
evasive masquerade
Link:
https://www.filescan.io/uploads/660fdd79d463a7b047811645/reports/70fb6fa1-c03a-4076-a0b2-2f45d3c3ef70/overview
Verdict:
Malicious
Labled as:
BZC.YAX.Boxter.111
Link:
https://www.hybrid-analysis.com/sample/decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f
Result
Verdict:
MALICIOUS
Details
Hidden Powershell
Detected a pivot to Powershell that utilizes commonly nefarious attributes such as '-windowstyle hidden'.
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1420801
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Antivirus detection for URL or domain
Encrypted powershell cmdline option found
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious PowerShell Parameter Substring
Snort IDS alert for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) starts blacklisted processes
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f/
Threat name:
Shortcut.Trojan.Boxter
Create hunting rule
Status:
Malicious
First seen:
2024-04-05 11:12:04 UTC
File Type:
Binary
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33f5myxmvmuvzmwamarsu3piegeehvtrw7fwfcvpo2n2jpg7cjxq._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/240405-nc45bsad2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Blocklisted process makes network request
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/decbd662ecab/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/decbd662ecab295cb2c060232a6de8218843d671b7cb628aaf769ba4bcdf126f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:EXE_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies executable artefacts in shortcut (LNK) files.
Rule name:High_Entropy_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with equal or higher entropy than 6.5. Most goodware LNK files have a low entropy, lower than 6.
Rule name:Long_RelativePath_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies shortcut (LNK) file with a long relative path. Might be used in an attempt to hide the path.
Rule name:PS_in_LNK
Create hunting rule
Author:@bartblaze
Description:Identifies PowerShell artefacts in shortcut (LNK) files.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments