MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6
SHA3-384 hash:	45d9a3d31a8aca240782e67c3095fa82685fb8ca9611fc9834f40ffb4f43021f82fa2e51a8ade20e3707132c82113e62
SHA1 hash:	5bd07ad299028e85eb4713874ad4cb62eef1b5b7
MD5 hash:	b59c7859686cea762326f38b0a5e0013
humanhash:	april-oregon-lima-bravo
File name:	5106e2ce7b7d7cbf0c102740d0a81731b0593cc330ac916e4a1981bf
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	466'944 bytes
First seen:	2023-10-19 17:43:52 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	eca0c30b65294d02a6c6180a6b323b58 (10 x Rhadamanthys)
ssdeep	6144:2uWP/BtSnurUylcrGYlnIttxv8HbcLgsd1Gus5psdrvV44dixP+MHDkBYdxtG9+I:2uWP/BZUyoLu8Agsmxwrvejkd2
Threatray	46 similar samples on MalwareBazaar
TLSH	T197A45C56AFC33EC0DF89A6B24800FBAE176E4275CA42D0C4BD6CE5525B275A7D70B234
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	r3dbU7z
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

344

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

5106e2ce7b7d7cbf0c102740d0a81731b0593cc330ac916e4a1981bf

Verdict:

No threats detected

Analysis date:

2023-10-19 17:44:34 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4cf7c1dd-58da-401d-851b-64a61b6b68eb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

Win.Packed.Mansabo-10009936-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Сreating synchronization primitives

Sending a custom TCP request

Gathering data

Verdict:

Malicious

Threat level:

2.5/10

Confidence:

100%

Tags:

greyware

Link:

https://www.filescan.io/uploads/65316ae4afc17c7912f90d90/reports/44eb775e-9735-4cd2-a6f8-40976ffbb6c0/overview

Verdict:

Malicious

Labled as:

Trojan.Mansabo

Link:

https://www.hybrid-analysis.com/sample/edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/906a56da-c82f-4c71-95e9-56625e1e7776

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1328871

Signature

Antivirus / Scanner detection for submitted sample

C2 URLs / IPs found in malware configuration

Found malware configuration

Multi AV Scanner detection for submitted file

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-10-19 17:44:06 UTC

File Type:

PE (Exe)

AV detection:

20 of 24 (83.33%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5xeakodjrjtjuvcpxbzs4zf5qcmsmc4of246enxdlfddu4o4y63a._file

Verdict:

malicious

Rhadamanthys

6209b24f9ecaed037484199423f1151f9c7883196c58cd8faf2430ca219885cf

Rhadamanthys

6a14114aa3bebe58ae76c66e7688f77a0e0e031cf048004f6bb670aab6344eeb

Rhadamanthys

70debce3a545cacca8b0bdb6008945852084b36e9160424fb63479c2991dcade

Rhadamanthys

795b951e16aa4aa0557c24eedad4897e457864838393fcf66220da85ad8be9d8

Rhadamanthys

a67f1138221609ff370c3ae6cee3fa78b89e2e1d9538d95e4bb1521c49cf5edb

Rhadamanthys

b45536b641815e8e230c3519ee7b9dcb4bf186ed2f4dc73b4be00066550731aa

Rhadamanthys

f0fdafa368b856b837a7f9ea91945e72f620792018f98626d9c44ef9ee948959

Rhadamanthys

fab5850b79de211ba1d789f80a4684657b3a79c849d46761decb2de95931162b

Rhadamanthys

ff38415bfa7f2db5ba40f26e64ede0676971c441823d2ec2755d644d8905d809

Rhadamanthys

+ 36 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/231019-wa5xvahf8t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6

MD5 hash:

b59c7859686cea762326f38b0a5e0013

SHA1 hash:

5bd07ad299028e85eb4713874ad4cb62eef1b5b7

Detections:

RhadamanthysLoader

win_brute_ratel_c4_w0

Link:

https://www.unpac.me/results/6ad2db0f-69e9-40af-863f-dcd6adbaf538/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BruteSyscallHashes Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	win_bruteratel_syscall_hashes_oct_2022 Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

Rule name:	win_brute_ratel_c4_w0 Create hunting rule
Author:	Embee_Research @ Huntress

Rule name:	win_Brute_Syscall_Hashes Create hunting rule
Author:	Embee_Research @ Huntress
Description:	Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe edc80538698a669a544fb8732e64bd8099260b8e2eb9e236e359463a71dcc7b6

(this sample)

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample