MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb
SHA3-384 hash: 0fc8f062574b582c93bf31fe8a74b41c135064387862dc3821352cd7878b789b9716817036ccbd8dbcfbda8899347d27
SHA1 hash: 402182f1ae34880a21b25bf94116d42f80791e44
MD5 hash: dcf231abac2aa68b03b99c9b1bf7da5b
humanhash: delaware-berlin-indigo-ohio
File name:dcf231abac2aa68b03b99c9b1bf7da5b.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:825'856 bytes
First seen:2023-01-22 17:14:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash aeb4879c7faeaad5c75f01e7e96ae41d (1 x Rhadamanthys)
ssdeep 24576:AWHMA9r11VUzYSE0LdFqjrJCIWe4ANipwOo1SLh:PXrP1b0nsrJ0Ki4
TLSH T15A05D03F22551182D4E2DF369937BED072BA47278BCEA83C699B58C6101D1E3F712A53
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10523/12/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dcf231abac2aa68b03b99c9b1bf7da5b.exe
Verdict:
No threats detected
Analysis date:
2023-01-22 17:25:06 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3fc74fb9-c76c-4b52-998b-f722fa7e1b82

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355658/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Launching a process
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Connecting to a non-recommended domain
Sending an HTTP GET request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  9/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/62290/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
CPUID_Instruction
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
No Threat
Threat level:
  2/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/63cd6f1a2d4f6d560e225c25/reports/d88676fd-514e-4369-bc10-f2affd4b852d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8a9cede2-ecb7-464e-b77d-a8b66f8af1ba
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1156563
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Contain functionality to detect virtual machines
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to hide a thread from the debugger
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking system information)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Searches for specific processes (likely to inject)
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected AntiVM3
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 789295 Sample: 8WRgBNhzG8.exe Startdate: 22/01/2023 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic 2->32 34 Multi AV Scanner detection for domain / URL 2->34 36 Multi AV Scanner detection for dropped file 2->36 38 7 other signatures 2->38 7 8WRgBNhzG8.exe 1 2->7         started        process3 signatures4 40 Writes to foreign memory regions 7->40 42 Allocates memory in foreign processes 7->42 44 Injects a PE file into a foreign processes 7->44 10 AppLaunch.exe 1 7->10         started        15 conhost.exe 7->15         started        process5 dnsIp6 22 37.220.87.35, 49700, 49702, 49709 ARTEM-CATV-ASRU Russian Federation 10->22 20 C:\Users\user\AppData\...\nsis_uns402f75.dll, PE32+ 10->20 dropped 46 Query firmware table information (likely to detect VMs) 10->46 48 Found evasive API chain (may stop execution after checking system information) 10->48 50 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 10->50 52 10 other signatures 10->52 17 rundll32.exe 10->17         started        file7 signatures8 process9 signatures10 24 System process connects to network (likely due to code injection or exploit) 17->24 26 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->26 28 Tries to steal Mail credentials (via file / registry access) 17->28 30 2 other signatures 17->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb/
Threat name:
Win32.Trojan.Babar
Create hunting rule
Status:
Malicious
First seen:
2023-01-20 15:57:05 UTC
AV detection:
13 of 26 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lvoxjftw4awgbhzyneps457k6ua3trjnhz2qfbfbiffa3puuxvq._file
Verdict:
malicious
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/230122-vsj8esgf62/
Behaviour
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detect rhadamanthys stealer shellcode
Rhadamanthys
Unpacked files
SH256 hash:
40041b48f89b3e8a8639122237e8ed6133aa2d5f039d5378e146cec3a691101c
MD5 hash:
37a509529cba587635a3e554c4740c38
SHA1 hash:
e1fae93645e243852f436eb2c829b9066a31a7de
Link:
https://www.unpac.me/results/656fe784-37cb-44e1-b389-813563136aed/
SH256 hash:
f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb
MD5 hash:
dcf231abac2aa68b03b99c9b1bf7da5b
SHA1 hash:
402182f1ae34880a21b25bf94116d42f80791e44
Link:
https://www.unpac.me/results/656fe784-37cb-44e1-b389-813563136aed/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f2eaeba4b3b7/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe f2eaeba4b3b7016304f9c348f973bf57a80dce2969f3a814250a0a506df4a5eb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2515362/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/355658/

Comments