MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0
SHA3-384 hash: c43ee048ee42f138430c6cf67deca55b987c4908ecaa3d0cc6a496cfea0bde222d6b7aad818a88939f9a3170ad80e114
SHA1 hash: fd5d2ce0f00d4dfcf47d09278353ed670e64a6b1
MD5 hash: 610932b122af72325aa348bb7cf887eb
humanhash: magazine-pasta-batman-white
File name:Creatures.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'514'240 bytes
First seen:2023-03-20 14:45:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ef0765f1f3cc8c246720c1fff425a5b7 (1 x Rhadamanthys)
ssdeep 98304:8trNOFuaf3sB/LO/YjMqOu0s3RkJvp8BpjXqSTToJFYlG:8trQFQBNMqOu0shkz8BpLx4JClG
Threatray 434 similar samples on MalwareBazaar
TLSH T1F746336E0FA9A694D121A6380103D14831DEFC5AA846CD0EB439BFABF93D3D1C674B57
TrID 52.9% (.EXE) Win32 Executable (generic) (4505/5/1)
23.5% (.EXE) Generic Win/DOS Executable (2002/3)
23.5% (.EXE) DOS Executable Generic (2000/1)
File icon (PE):PE icon
dhash icon f0e894aaaca4d8f0 (1 x Rhadamanthys)
Reporter iamdeadlyz
Tags:77-91-68-146 exe FakeCryptureWorld Rhadamanthys


Avatar
Iamdeadlyz
From worldofcreatures.io (fake copycat of Crypture World - cryptureworld.com)
Dropper retrieves from https://worldofcreatures.io/update/Creatures.zip
De-pump of 43a4f88caa59815979c9e3158548b762c912482b499bffbfc687a25bfd1e151c
Rhadamanthys C&C: 77.91.68.146:8080

Intelligence

File Origin
# of uploads :
1
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Creatures.exe
Verdict:
Malicious activity
Analysis date:
2023-03-20 14:50:56 UTC
Tags:
rhadamanthys
Link:
https://app.any.run/tasks/fe83ade1-ab36-44ca-9a4a-71962c9a2057

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375960/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Searching for analyzing tools
Sending a custom TCP request
Сreating synchronization primitives
Sending an HTTP GET request
Launching a process
Reading critical registry keys
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/641871ab3b01ade53e6fb29c/reports/1d525629-3ff6-4a7d-84df-a3f9779e11cb/overview
Verdict:
Malicious
Labled as:
Jaik.Generic
Link:
https://www.hybrid-analysis.com/sample/e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e10a8b90-1842-4b16-b24c-8c68b7acde0e
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197780
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 14:46:11 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
15 of 24 (62.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4dmopijp7i76waebijm2f2tvbkysdq7uwbe45axv6pwbmv4ya7aa._file
Verdict:
malicious
Similar samples:
1b889c292805d6d53f2884f560c72ed20ed525db3f2d7b91d271bf8cba24f73a
Rhadamanthys
3d4a0e8acc9c3b87dc1af95e584c3b6d834c9fae3d0f7ee0ce1b2ecb49257cc5
Rhadamanthys
5931fac14fecb22cacb5cd495e2b49ead9bd6354ca9678257a5bc7929395db98
Rhadamanthys
98c37baf4260e7d8356e75e115536d22a133a1c38d97b345de193c4f281fb023
Rhadamanthys
a860f0a0550d4e011d2fa244f01892f163d218f036c273e78851ab383d361843
Rhadamanthys
b3c16003d613c90f1741bf5b9cf2f2ceb3eac08da27dacefd8162364838a3227
Rhadamanthys
c732e2929b06b26edb894ac000468d4b263e6284ce2c7731732a1b03bae56ad8
Rhadamanthys
fd19241e3dbb2519f4f10b8e415e5dee056a7f2894bd7b0e7000a544147caf0a
Rhadamanthys
fd77a789e1cdaee10a146bb935c8a29515a009316f1dbb9e99789eede43e3189
Rhadamanthys
+ 424 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys collection evasion stealer trojan
Link:
https://tria.ge/reports/230320-r5amzaea58/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of NtSetInformationThreadHideFromDebugger
Accesses Microsoft Outlook profiles
Checks whether UAC is enabled
Checks BIOS information in registry
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
2615518d47c6a615191ebdee362cb123ed883ff53d6fdd8fd69a795c7ccd0a40
MD5 hash:
e918c8947480fd2b2b6b286db7af62ea
SHA1 hash:
da6871a41a4ca97f8a8de260dd343f5fe414cbb3
Link:
https://www.unpac.me/results/d4e3cb79-54c3-4ff8-87c5-e0e9e3c7efd5/
SH256 hash:
e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0
MD5 hash:
610932b122af72325aa348bb7cf887eb
SHA1 hash:
fd5d2ce0f00d4dfcf47d09278353ed670e64a6b1
Link:
https://www.unpac.me/results/d4e3cb79-54c3-4ff8-87c5-e0e9e3c7efd5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0d8e7a12ffa/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:INDICATOR_EXE_Packed_MPress
Create hunting rule
Author:ditekSHen
Description:Detects executables built or packed with MPress PE compressor
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:TeslaCryptPackedMalware
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

0bc9384f5c5395312a68af04a7f0e4da7bd28bcc35935d09c252f79e4a90df58

Rhadamanthys

Executable exe e0d8e7a12ffa3feb00814259a2ea750ab121c3f4b049ce82f5f3ec16579807c0

(this sample)

  
Dropped by
SHA256 0bc9384f5c5395312a68af04a7f0e4da7bd28bcc35935d09c252f79e4a90df58
  
Dropped by
SHA256 3a3ebe79d6ea3e12e7c9e0e044565f700d92600fdfda60c4a9cacc0e5c752987
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/375960/
  
URLhaus
https://urlhaus.abuse.ch/url/2578653/
  
URLhaus
https://urlhaus.abuse.ch/url/2578655/
  
Dropped by
MD5 bab69d4b5e90da9ff769f49a8fecd97f

Comments