MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA File information Comments

SHA256 hash:	f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5
SHA3-384 hash:	19d95b64e4b56902cacd4d0b872769ac967237067f5ba550f606c0df224809c5f70df225802ebbee835ede4782390abe
SHA1 hash:	dcf842645127686af3c13f21fa5ea4a760c87c61
MD5 hash:	e179b14f26972c159c58519496978a07
humanhash:	network-kansas-lithium-maryland
File name:	e179b14f26972c159c58519496978a07.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	183'808 bytes
First seen:	2023-03-13 09:27:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f214c5f744673db93dec4b219265fbc2 (11 x Rhadamanthys)
ssdeep	3072:bwevYpKTDMDUDfuuE46lC4PQyfHU6Ig4cjnjFRpbll/XbqefxlS3ETgmBN8vqI5L:sevY8m6u3wB4HzlrzPOefxoEBK7
Threatray	266 similar samples on MalwareBazaar
TLSH	T1DC04E118B2D1C0B9E99B023158BCCA7725FD3E5B8BB0DA47779C19C75D311B896292C3
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

205

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

phorpiex

ID:

File name:

7ff30ef548a0a98110da90cf3580bf0a.exe

Verdict:

Malicious activity

Analysis date:

2023-03-12 17:46:51 UTC

Tags:

phorpiex trojan loader rhadamanthys

Link:

https://app.any.run/tasks/f07ee7c4-1edf-41c8-9e2f-e604ae2be3a9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/373928/

Detection(s):

SecuriteInfo.com.Variant.Zusy.448594.21369.1306.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Sending an HTTP GET request

Launching a process

Reading critical registry keys

Searching for the window

Unauthorized injection to a system process

Stealing user critical data

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/72918/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

EvasionGetTickCount

EvasionQueryPerformanceCounter

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware shell32.dll

Link:

https://www.filescan.io/uploads/640eeca915e425e0dcc1ca58/reports/fc11c801-7766-4547-81a7-053b4d90babd/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/9ffeb34c-3bdf-49a8-9ee7-e5ce5c8ac82f

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1192348

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5/

Threat name:

Win32.Trojan.Rhadamanthys

Status:

Malicious

First seen:

2023-03-12 07:59:50 UTC

File Type:

PE (Exe)

AV detection:

20 of 23 (86.96%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7hjyoe22pjhet24w7qu5hwupiewyobaxx5uewxuk5eoeuh54y3kq._file

Verdict:

malicious

Rhadamanthys

415850683b95d1e1521a05b0f67758543cfa79c8977611ccbc22b2dcdace0020

Rhadamanthys

4e206df50e3327418c6c9078b720d5faac9b3bac31998e29d1091fc2fd2418bb

Rhadamanthys

563458d0d35d3e4a7809630809229fbe2977eabeb8639ceb677426308c156a3c

Rhadamanthys

7a78888d3616fa77722ef3e59d343db0d32e43d62b79d911ae06c9a26707da21

Rhadamanthys

7d16edee6fbccf5bcb73691b8f69113f3e80c804d66b49e71be48ef21eea30b5

Rhadamanthys

9a526794933f0eb0ff716b3b3043234169ce8747f146d73d8f0492e036cbe15a

Rhadamanthys

a8b8116afae21d9c0edaf717611b611b78d0a097c303bfbe596ec4ead69897fe

Rhadamanthys

df66fe18ba387caa8cb295c5f35bb0a8d208ddadea7a05cef77090cc09a681b1

Rhadamanthys

fc7f4a32ad5d939024f941c04f123edc4e4e51d4974313e001130a2e466119a2

Rhadamanthys

+ 256 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys stealer

Link:

https://tria.ge/reports/230313-lfchdahf39/

Behaviour

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of NtSetInformationThreadHideFromDebugger

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5

MD5 hash:

e179b14f26972c159c58519496978a07

SHA1 hash:

dcf842645127686af3c13f21fa5ea4a760c87c61

Link:

https://www.unpac.me/results/cae507de-8617-45e4-a31a-0b8528a60f8a/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f9d387135a7a/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe f9d387135a7a4e49eb96fc29d3da8f412d870417bf684b5e8ae91c4a1fbcc6d5

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/2568402/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/373928/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample