MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea
SHA3-384 hash: 7bcb1c07247570496d4a4c2b113260cd77a066a79c14944c47ad0d4e8c7829c6daaa07ff8983eb8fa901751663b5b0a3
SHA1 hash: 27e35d0b2563dfe2784a9e953d99bc4dba2ab9b9
MD5 hash: 0572de40b29c53ebe8df22f6875bba9d
humanhash: bulldog-carolina-tennessee-butter
File name:OBS.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:7'049'216 bytes
First seen:2023-01-15 13:08:55 UTC
Last seen:2023-01-15 14:41:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cd649d0c74c0b1660a728219514692ea (1 x Rhadamanthys)
ssdeep 196608:ech1JnwRSDaTvKuXwk2SA9lE6PI/GR8x1MA8Ra:dJOBKZk2S0P6hvMXa
Threatray 501 similar samples on MalwareBazaar
TLSH T1B6661262514412B0FCF64C339127DCBEA3763D65CEA0687B60C7B99A153A4E26E33673
TrID 32.2% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
20.5% (.EXE) Win64 Executable (generic) (10523/12/4)
12.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
9.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon f0c4b49cd8dcaccc (1 x Rhadamanthys, 1 x RecordBreaker)
Reporter iamdeadlyz
Tags:exe FakeOBS Rhadamanthys


Avatar
Iamdeadlyz
From a sponsored Google search result -> obs-project.festcommerzblog.com
De-pump of 0afc18a6890970fa87b32ea90270db1f723190bba3a4fb24957a901cbacc7de2
Rhadamanthys C&C: 77.91.122.230:80

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
OBS.exe
Verdict:
Suspicious activity
Analysis date:
2023-01-15 13:09:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7616af6d-c426-4e4a-8002-77ceb6630436

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/353084/
Detection(s):
SecuriteInfo.com.Win32.Evo-gen.13553.22231.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Detecting VM
Sending an HTTP GET request
Creating a file in the %AppData% directory
Launching a process
Deleting a recently created file
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/60436/overview
Behaviour
MalwareBazaar
Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
packed shell32.dll
Link:
https://www.filescan.io/uploads/63c3faf0de614a115a1660cb/reports/30303c75-4281-4084-b038-b9e68250bb40/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f8b6bb48-4218-4d11-b522-3065c7fe869b
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1151894
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-01-15 13:09:10 UTC
File Type:
PE (Exe)
Extracted files:
113
AV detection:
17 of 26 (65.38%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ae2geptxp6py6llg54dws6325wexvmwk4ss5y75eakq7ctwztva._file
Verdict:
malicious
Label(s):
raccoon
Create hunting rule
Similar samples:
1a26f913157ad417326e84278e34076d240621da8f5cf3c82b3debd31c988101
Rhadamanthys
591efac1879c1ec4079d2435e256d6ac654031cb477a0ba9b141c84a6ea51eb1
Rhadamanthys
84fcfc88df2041347b749df08d82fdb951f0335567ac9e5f1828e84084542e1f
Rhadamanthys
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Rhadamanthys
b0a22e9a9850fa4356f5603905f45645489ae04d60d630772b3b8227a21b1956
Rhadamanthys
d719df850d62a455d34bf2a5847b36e6d267047824b2e96b7c4c9cdfbd9737e3
Rhadamanthys
ef2dd208f149f8ae0741c2cf4fa5270e8d54c35e161f88aad9b109c679e211a2
Rhadamanthys
fb651d07bc1ee0b1676123399c358c9f3a276448b4938b46cfd2b9b701956913
Rhadamanthys
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
Rhadamanthys
+ 491 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/230115-qdsh2aah81/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of NtSetInformationThreadHideFromDebugger
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea
MD5 hash:
0572de40b29c53ebe8df22f6875bba9d
SHA1 hash:
27e35d0b2563dfe2784a9e953d99bc4dba2ab9b9
Link:
https://www.unpac.me/results/4820c6ff-950d-4102-9c31-2adc896c16c7/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e809a311f3bb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.21
Link:
https://yomi.yoroi.company/submissions/e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

zip 4daaba19d412cdf3838a0c373cdc9b7cfc26423723307482e4b0f946909c726e

Rhadamanthys

Executable exe e809a311f3bbfcfc796b37783b4bdbd76c4bd59657252ee3fd20150f8a76ccea

(this sample)

  
Dropped by
SHA256 4daaba19d412cdf3838a0c373cdc9b7cfc26423723307482e4b0f946909c726e
  
Dropped by
SHA256 9b56f14d9c10d4b98c15bb6c59688e7bf736403d1b048c38958963862d4590e7
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/353084/
  
URLhaus
https://urlhaus.abuse.ch/url/2508437/
  
Dropped by
MD5 7b1c74e08d42757792cb935800da1e75
  
Dropped by
MD5 af6b724b261b10c45f916d862b727f90

Comments