MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce
SHA3-384 hash: dade8cdd66755734881863bbbd69bf000b962a167048e32721bd74b61375ec097830c986d7056c932ce8a7a97616071e
SHA1 hash: aecbeafa848cb138e3f041213b99c5e859209757
MD5 hash: 7f56fb203600c1613100e933373bf3b2
humanhash: freddie-dakota-florida-fix
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:489'984 bytes
First seen:2024-02-07 13:46:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbe07299899d36fced0522536c0d21e (1 x Rhadamanthys, 1 x RiseProStealer)
ssdeep 12288:PGx+GcntZwMCGBe5xcS5x0nKAOgUuXIS5lo5+LWQ0xLZ:G+hntZH3rKh5u5/zYZ
Threatray 46 similar samples on MalwareBazaar
TLSH T16FA40221F5F3D0B1D9EB86F0A871DAA45E3B78B26179C18F7324076E6F602C04A56736
TrID 46.6% (.CPL) Windows Control Panel Item (generic) (57583/11/19)
25.2% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
8.5% (.EXE) Win64 Executable (generic) (10523/12/4)
5.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.0% (.EXE) Win16 NE executable (generic) (5038/12/1)
File icon (PE):PE icon
dhash icon 07030a1216020200 (1 x Rhadamanthys)
Reporter jstrosch
Tags:exe Rhadamanthys


Avatar
jstrosch
Found at hxxp://5.42.65[.]115/files/EU.file by #subcrawl

Intelligence

File Origin
# of uploads :
1
# of downloads :
277
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475155/
Detection(s):
Win.Packer.pkr_ce1a-9980177-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/65c389ac8f53675caf0f5a3e/reports/e866cc03-7a01-4e76-af23-583c107069c8/overview
Verdict:
Malicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
FlashDevelop
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f84ffded-9dab-4ada-8c3d-ddd07c2a735f
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1388353
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2024-02-07 13:22:44 UTC
File Type:
PE (Exe)
Extracted files:
15
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7fcrrxrwvbeogguxj445xjrlqjs6ylkfhkg2po5ermurwrujktha._file
Verdict:
malicious
Similar samples:
180914e4a9ced0e96dcdfe47be875a796d853ac1216108c97428839d257e55f5
Rhadamanthys
189051c29319fac6a96fefc8158f9d27d61a55b668f3c8e3610a48617649518f
Rhadamanthys
217fbf967c95d1359314fcd53ae8d04489eb3c7bdc1f22110d5a8a476d1fc92e
Rhadamanthys
3a8a3be6bfb60b2b9b2d02cc6ddf57e2ff0cb001b764df199026adc4e287ec4a
Rhadamanthys
5968cf6cda32be2c851832db07b02b930712e1d538e016ee7c82495bde0925cb
Rhadamanthys
803c615272968189ae40583e836144eeead3babb12a60805b4c87960d0307470
Rhadamanthys
80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
Rhadamanthys
878e881cb00de3297651a06f1d2054c88183e9f8010c1c30f5eeb92d7154e816
Rhadamanthys
8fdeb093bec0bc7dc01ef7f0aa61476deaaddbf42a8da2d711e21693fc3ecbd6
Rhadamanthys
d2d0fee1cc3470452d8f7a09af5457e0c9de767e0902eebfd879d35715fe829a
Rhadamanthys
+ 36 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/240207-q21jjshcd3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
2d13a01021d1d303533101cddb55c01b40e565872f82621b0273d65b9409283e
MD5 hash:
991bcb8f05281598b6468a89d71696b9
SHA1 hash:
36b0138d5b92ea299c60658f98e8b65d8d34cac7
Link:
https://www.unpac.me/results/4f127ef9-044f-45e9-8c97-e639e9135328/
SH256 hash:
f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce
MD5 hash:
7f56fb203600c1613100e933373bf3b2
SHA1 hash:
aecbeafa848cb138e3f041213b99c5e859209757
Link:
https://www.unpac.me/results/4f127ef9-044f-45e9-8c97-e639e9135328/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f94518de36a8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe f94518de36a848e31a974f39dba62b8265ec2d453a8da7bba48b291b468954ce

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2756618/
Cape
Cape
https://www.capesandbox.com/analysis/475155/

Comments