MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
SHA3-384 hash: 92f8b73a4248dce660df34bda74665149dbc06c7d3056f2da95a8caf55298e3bf85d4184de3ca9aed253aadd44801a37
SHA1 hash: 17cfd9649a4f68ef90c72689820876dbe4ca22d1
MD5 hash: 166d22ed93c723326a6d5fead162fdd3
humanhash: apart-fish-lima-hamper
File name:setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:4'586'496 bytes
First seen:2023-03-22 01:27:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 86f73ba4a5b0bd6d0633bc10b0ac18f2 (3 x Rhadamanthys, 1 x Amadey, 1 x Stop)
ssdeep 6144:5WC6Lf8HuLk5z2TPQIonfaFi9G0ei+jvbalhZV9W71:5WC6DiUk5zq4ffaFQG0qjvWPZW
Threatray 330 similar samples on MalwareBazaar
TLSH T1BA26085383A23D44EA258B739F1FC6F8B64DF2709E497B6532199E6B14B02B3C263711
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 4058845088009000 (3 x Rhadamanthys)
Reporter Chainskilabs
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
279
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
76feee748612466fbd3f219b1adae8b4.exe
Verdict:
Malicious activity
Analysis date:
2023-03-21 18:56:44 UTC
Tags:
rat redline trojan amadey opendir loader rhadamanthys aurorastealer
Link:
https://app.any.run/tasks/2685e8c0-ce9f-400d-a2d0-b92f148a445b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/376308/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Sending an HTTP GET request
Launching a process
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/641a59a3e6d26a096f575e6b/reports/42f3551b-9834-4aee-bf76-56e6d6105c95/overview
Verdict:
Malicious
Labled as:
Babar.Generic
Link:
https://www.hybrid-analysis.com/sample/e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Malicious Packer
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c5556272-511c-4747-9306-459e29e09604
Result
Threat name:
Laplas Clipper, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1198971
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Creates processes via WMI
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Laplas Clipper
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-03-21 16:35:09 UTC
File Type:
PE (Exe)
Extracted files:
74
AV detection:
21 of 24 (87.50%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5gdzksdfqykefdabxr6eq6f4q7ioflkxwnrbu6vgctujymwdrdtq._file
Verdict:
malicious
Similar samples:
097d2ea2206640a38d027b8e4e5ef23c5ae60f41141e8437b9004d4230c83480
Rhadamanthys
318fdc3e4e806a8640f03c86d2eadc23dd0a04ce1d1f2ce44710c870749dcf09
Rhadamanthys
5f1a56b6cfdd55b401ee5e769a7c60ac886f02f5d425d5514e202b9e12448b87
Rhadamanthys
60b346fe162b2fc00328d09a35696cfe21f22925716d15fe9841f5fb9bc629ab
Rhadamanthys
7a78888d3616fa77722ef3e59d343db0d32e43d62b79d911ae06c9a26707da21
Rhadamanthys
8e5cce74ef320ec2ee182f1b0dee059fc63e671d3644a30e4104e87adc4a045f
Rhadamanthys
93f7b0045c564abad182d9e2006505cef3b68b4beb3a4db787332a31839fd7a0
Rhadamanthys
a8b8116afae21d9c0edaf717611b611b78d0a097c303bfbe596ec4ead69897fe
Rhadamanthys
b1350d4785b6b3c87ff90e62b03cd4863426c36b92340bc09996bef7a4d8750c
Rhadamanthys
cc551bcb062e26f7f34be3e568f915b3bcb2927ba89797e55780e0ed99ff8655
Rhadamanthys
+ 320 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys evasion stealer
Link:
https://tria.ge/reports/230322-bvntvagb3t/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Checks for VirtualBox DLLs, possible anti-VM trick
Checks system information in the registry
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Looks for VMWare Tools registry key
Enumerates VirtualBox registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Looks for VirtualBox Guest Additions in registry
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
5db892a52fbebbf0298d3b5b2cf0c3ed7f9612a9d337c56bb168be336d28cadb
MD5 hash:
2a7aaf0b7ed9af90a111dd74ad9aa1ad
SHA1 hash:
562c4849728b795a971d755e0c1af872c73aaaed
Link:
https://www.unpac.me/results/7c4334c1-6b65-4ba1-9b72-d78e92cd26d5/
SH256 hash:
e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7
MD5 hash:
166d22ed93c723326a6d5fead162fdd3
SHA1 hash:
17cfd9649a4f68ef90c72689820876dbe4ca22d1
Link:
https://www.unpac.me/results/7c4334c1-6b65-4ba1-9b72-d78e92cd26d5/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e98795486586/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:pdb_YARAify
Create hunting rule
Author:@wowabiy314
Description:PDB
Rule name:Windows_Trojan_Smokeloader_3687686f
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe e9879548658614428c01bc7c4878bc87d0e2ad57b3621a7aa614e89c32c388e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2567063/
  
URLhaus
https://urlhaus.abuse.ch/url/2566098/
Cape
Cape
https://www.capesandbox.com/analysis/376308/

Comments