MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e
SHA3-384 hash:	e14403a79afab79c2d542daf92c9a359e3ed39f08c6e3f0be59c29110d4cd82529d42b5c2914403266867bc92adb531b
SHA1 hash:	3d2cba739389d5b82601f4976719434a385c3f24
MD5 hash:	7f1fb038ce59b5f4808ae37a9c3be0f6
humanhash:	washington-november-solar-earth
File name:	7f1fb038ce59b5f4808ae37a9c3be0f6.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	2'981'888 bytes
First seen:	2024-12-04 13:39:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6cd1955b3508e1b7bae36e00ef841662 (12 x Rhadamanthys, 1 x AsyncRAT)
ssdeep	49152:SVHFXSzmqiDqCbm1gickVsPTwuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuTuuuuR:SVHFXSzmqsegfkVsMuuuuuuuuuuuuuuu
TLSH	T1E5D5AE41F28181B1DD5276B05273D6B54672AEF8A73A80CF61D63F1B3B722E25A33346
TrID	62.2% (.EXE) InstallShield setup (43053/19/16) 15.2% (.EXE) Win64 Executable (generic) (10522/11/4) 7.2% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.5% (.EXE) Win32 Executable (generic) (4504/4/1) 2.9% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
File icon (PE):
dhash icon	d4c4c4d8ccd4f0cc (241 x AgentTesla, 65 x Loki, 41 x Formbook)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

390

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

7f1fb038ce59b5f4808ae37a9c3be0f6.exe

Verdict:

No threats detected

Analysis date:

2024-12-04 14:31:54 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6b6b4e99-f7ee-4364-bae6-a980781addc6

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=67505cc7bc8c6beb30759f1b

Tags:

shellcode virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

evasive fingerprint microsoft_visual_cc packed packed packer_detected rat

Link:

https://www.filescan.io/uploads/67505bb97bae4cb48200602c/reports/f7338996-586f-4554-b06e-accdcea54204/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_60%

Link:

https://www.hybrid-analysis.com/sample/e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/33fcb6d4-872e-429e-a214-848df3352abc

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1568324

Signature

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Switches to a custom stack to bypass stack traces

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

33%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2024-12-04 13:40:26 UTC

File Type:

PE (Exe)

Extracted files:

128

AV detection:

20 of 38 (52.63%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=45atlrshxmdf4j7ylnn63nl3mpcxghpq3vozfb3rq67dz5vclfha._file

Result

Malware family:

n/a

Score:

6/10

Tags:

discovery persistence

Link:

https://tria.ge/reports/241204-qyjfvsslaj/

Behaviour

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Adds Run key to start application

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/79041eb7-09ff-45a3-b9ce-ba9639bf0ca8

Unpacked files

SH256 hash:

4d774508fe3dcc542ddffda6ff2ec86d01c846b28290fa6f7967b9b4642376a2

MD5 hash:

5c12f405e069ea30aa79021fd4355f7a

SHA1 hash:

875b0a0c2ab206d168910d593a9184948516caaf

Link:

https://www.unpac.me/results/0ecf3f87-5900-46eb-8814-ca5541e45538/

SH256 hash:

e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e

MD5 hash:

7f1fb038ce59b5f4808ae37a9c3be0f6

SHA1 hash:

3d2cba739389d5b82601f4976719434a385c3f24

Link:

https://www.unpac.me/results/0ecf3f87-5900-46eb-8814-ca5541e45538/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e74135c647bb/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	meth_stackstrings Create hunting rule
Author:	Willi Ballenthin

Rule name:	RansomPyShield_Antiransomware Create hunting rule
Author:	XiAnzheng
Description:	Check for Suspicious String and Import combination that Ransomware mostly abuse(can create FP)

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe e74135c647bb065e27f85b5bedb57b63c5731df0dd5d92877187be3cf6a2594e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3319774/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_NX	Missing Non-Executable Memory Protection	critical
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
COM_BASE_API	Can Download & Execute components	ole32.dll::CoCreateInstance ole32.dll::CoFreeUnusedLibraries
MULTIMEDIA_API	Can Play Multimedia	GDI32.dll::StretchDIBits WINMM.dll::timeBeginPeriod WINMM.dll::timeEndPeriod WINMM.dll::timeGetDevCaps WINMM.dll::timeGetTime WINMM.dll::timeKillEvent
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CreateProcessA KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA KERNEL32.dll::GetCommandLineW KERNEL32.dll::GetCommandLineA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CopyFileA KERNEL32.dll::CopyFileW KERNEL32.dll::CreateDirectoryA KERNEL32.dll::CreateDirectoryW KERNEL32.dll::CreateFileA KERNEL32.dll::CreateFileW KERNEL32.dll::CreateFileMappingA
WIN_CRYPT_API	Uses Windows Crypt API	CRYPT32.dll::CertFindCertificateInStore CRYPT32.dll::CertFreeCertificateContext CRYPT32.dll::CertVerifySubjectCertificateContext CRYPT32.dll::CryptGetMessageCertificates CRYPT32.dll::CryptVerifyMessageSignature
WIN_REG_API	Can Manipulate Windows Registry	ADVAPI32.dll::RegCreateKeyA ADVAPI32.dll::RegOpenKeyExA ADVAPI32.dll::RegOpenKeyExW ADVAPI32.dll::RegQueryValueExA ADVAPI32.dll::RegQueryValueExW ADVAPI32.dll::RegSetValueExA ADVAPI32.dll::RegSetValueA
WIN_USER_API	Performs GUI Actions	USER32.dll::EmptyClipboard USER32.dll::OpenClipboard USER32.dll::PeekMessageA USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample