MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
SHA3-384 hash: d2dfceda69a12bb98e06e4ca7ed4c0f4e17bcaa2acb14ac72f66e812975b7e899c8bc7178a008f196ef3229e3a4184b1
SHA1 hash: 15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631
MD5 hash: 69773ff9cddbe895d0c1a7c381e15d81
humanhash: finch-twenty-july-alanine
File name:69773ff9cddbe895d0c1a7c381e15d81.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'116'096 bytes
First seen:2023-06-25 07:37:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:NZVlrVqLTyYBYTKiJHZ+guvLN09WIfw8eZrjwMmPK:7hIGKiJk7LN09WKOdMMmy
Threatray 127 similar samples on MalwareBazaar
TLSH T186A5233413588F72EDEF0374B05693064BF6C89B7A8AE7BF543996882853F71CC125A6
TrID 67.7% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.7% (.EXE) Win64 Executable (generic) (10523/12/4)
6.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.1% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
290
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
azorult
Create hunting rule
ID:
1
File name:
69773ff9cddbe895d0c1a7c381e15d81.exe
Verdict:
Malicious activity
Analysis date:
2023-06-25 07:41:48 UTC
Tags:
rat azorult trojan zgrat
Link:
https://app.any.run/tasks/4945f684-0803-43b0-aead-604f586fc6fd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/402580/
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.21349.16324.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin packed
Link:
https://www.filescan.io/uploads/6497eeddee55f1e1b4b545f0/reports/2282f743-6e79-451d-be97-a008d7b7f636/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/eeeb9641-6083-4eb5-aa5c-f3cc27fce16b
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1261047
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Deletes itself after installation
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 894065 Sample: PO2Gk3q8pA.exe Startdate: 25/06/2023 Architecture: WINDOWS Score: 100 49 nickshort.ug 2->49 51 falling.ug 2->51 59 Multi AV Scanner detection for domain / URL 2->59 61 Found malware configuration 2->61 63 Multi AV Scanner detection for submitted file 2->63 65 8 other signatures 2->65 9 PO2Gk3q8pA.exe 3 2->9         started        13 CanReuseTransform.exe 1 2->13         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\BLIrlccnw.exe, PE32 9->39 dropped 41 C:\Users\user\AppData\...\PO2Gk3q8pA.exe.log, ASCII 9->41 dropped 67 Injects a PE file into a foreign processes 9->67 15 PO2Gk3q8pA.exe 1 9->15         started        18 BLIrlccnw.exe 1 9->18         started        21 WmiPrvSE.exe 9->21         started        23 PO2Gk3q8pA.exe 9->23         started        69 Machine Learning detection for dropped file 13->69 25 CanReuseTransform.exe 13->25         started        signatures6 process7 dnsIp8 53 91.103.252.25, 49694, 49698, 49699 HOSTGLOBALPLUS-ASRU Russian Federation 15->53 27 certreq.exe 3 15->27         started        55 Machine Learning detection for dropped file 18->55 57 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 18->57 31 BLIrlccnw.exe 5 18->31         started        33 )]6r_~{.exe 21->33         started        35 4gr7NVz.exe 21->35         started        signatures9 process10 file11 43 C:\Users\user\AppData\Local\...\4gr7NVz.exe, PE32+ 27->43 dropped 45 C:\Users\user\AppData\Local\...\)]6r_~{.exe, PE32 27->45 dropped 71 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->71 73 Tries to steal Mail credentials (via file / registry access) 27->73 75 Tries to harvest and steal browser information (history, passwords, etc) 27->75 79 3 other signatures 27->79 37 conhost.exe 27->37         started        47 C:\Users\user\...\CanReuseTransform.exe, PE32 31->47 dropped 77 Machine Learning detection for dropped file 33->77 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2023-06-25 06:26:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
22 of 37 (59.46%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rw5wh3wirmxxbgrjy7putgruhi22aedcqnt7ivgcpgtycjpmucq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
03fcf785b17d2ef8014c2bc90129da267f899218312c789ce94ee24e9a97c105
Rhadamanthys
0fe833966ffd7dc6723991d4b4561f039f488ce774de7c5c6b6f9ad7a006b595
Rhadamanthys
1c758992ed57930115ba585a43bc0a7a750a476206cf1999bf3333f26fc230f2
Rhadamanthys
2dc6a762fbcc017cddee0b0099ffcc61af6336f4444e911997e4af2635c8f183
Rhadamanthys
509876bf98ee51fc5d7a4d6af1244227fccd94a556a9c85dd9bdf535d8619b39
Rhadamanthys
6620065fb747acd80ed59d91d4b76316b9402c739530a8436e36f188e9a3f03f
Rhadamanthys
6958b67fa4b8e6b4cb8a503cb6199b81c6df7491a97ec8edf51662e350078fda
Rhadamanthys
8ef5c190b1b13bb8fdf5c06fbd8cec9bb68e9aea39d5eacd0dcc011bc6e726ee
Rhadamanthys
963f054c289e0855e2d119fa2e290bcc3a1d7787c60ed226fb6512b52b3750c5
Rhadamanthys
a68cd42b12ffb9ca676649961481f4f0f825db7cddda46f1d20f160c4ca7b0df
Rhadamanthys
+ 117 additional samples on MalwareBazaar
Result
Malware family:
azorult
Create hunting rule
Score:
  10/10
Tags:
family:azorult collection discovery infostealer spyware stealer trojan
Link:
https://tria.ge/reports/230625-jgdqqaed71/
Behaviour
Checks processor information in registry
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Drops file in System32 directory
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Checks installed software on the system
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Azorult
Suspicious use of NtCreateUserProcessOtherParentProcess
Malware Config
C2 Extraction:
http://195.245.112.115/index.php
Unpacked files
SH256 hash:
c834dcfc105342202259fc4c970afe14228dcb06111795db2dcc0a38c940a8d7
MD5 hash:
dc05369132b21ad223436e992b25a2ba
SHA1 hash:
fe5f6a0f6f2e557a15daf90e41587810ac5e2295
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
e2ce39b7942352303b4ae2169b2db61fd910b294f92976eb5f568f793f4cb98d
MD5 hash:
af86d664c541e91e5457f614e750e1f2
SHA1 hash:
3376a1f5f6bc7fd7e191d3e74bbcef74fd36fcb8
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
4d1f733b69defc3bda9bd73126aa0d1e124ca63dfe61bed4c28d5b1f31eab9bf
MD5 hash:
0e9525c97007498a7c61bb24a5c7a5b4
SHA1 hash:
0338eee1f8ee68bece3c66e86b703f988d6c1003
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
69bf0f41c20d1db29337ac9d76710a646ceed01be2f692fc4357eed8abfbb730
MD5 hash:
b5bd001e88ab44ae9edf87de2a7923d7
SHA1 hash:
e1c0beb788dead4e67f130486568e62068d2be81
Detections:
win_brute_ratel_c4_w0
Create hunting rule
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
51e838692dc419e88bc0572cc6b2e44ddc0bd95e1a67f9d46fe9c654242cdd5a
MD5 hash:
28f7ee9503041eaf311bbbb5c5d2dae3
SHA1 hash:
f979d235612e21fce147e05bcbe45d2fd91a1383
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
a3ec13e9da3e2b72787b0acdf8f95b915b79fa437cc2f130a5bf35ddbfd67ef3
MD5 hash:
2adfd613a54272d942c84b05a5267efb
SHA1 hash:
dc6b3b8cdb1fa3d25e1f9e44432c23065cdba976
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
5f90ec973617cbdf008a4cb51e4a1f2d91dc61a6e584313818052d9a34132f37
MD5 hash:
2503693637caa2bc52d5ed30212dab53
SHA1 hash:
97288a7c78a6aa3b854f2c13bd291ba113a41925
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
dc6cb8e7add352f58f01d78be9fc71d2c2edf968736c3554601603ad99434263
MD5 hash:
f2325ff41feefc73981633dba6bea680
SHA1 hash:
7b8b53117c6a94b3fb6662853d32875d9b3de6c7
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
2c1cb4176d42f431d43fd692123148d451165195001661fe5ced9292873d41b3
MD5 hash:
e0215abc1fe729b2bf70c58828fdc7e3
SHA1 hash:
77b6cfe52f3eaa321cf0aeb2bb2af4f7ff8ed182
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
c2061f2b7856cda556570a83ba325c684a2a72fed77eb322ae661714a77c9040
MD5 hash:
fc6f64c6b52d80c505cc7d6f04d0952e
SHA1 hash:
1c472c2ceb83bfcd5adc6770e35594a5b0ec5390
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
c27090443f99070d11b7355c829f5aead7c0152bc366b3a90a1c13b2a19d8a59
MD5 hash:
e9b9554fa6beefc4ef75b0fee69c3e94
SHA1 hash:
1b1a4f141e7f1dffc8f8d2264843fb5bba27fcec
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
SH256 hash:
fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505
MD5 hash:
69773ff9cddbe895d0c1a7c381e15d81
SHA1 hash:
15a2796b6b77bd1f03eb0a30cfeb7e3c2f0a0631
Link:
https://www.unpac.me/results/4d915db1-c513-4c49-8717-bbfcafeafa94/
Malware family:
AZORult v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc6ddb1f7644/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BruteSyscallHashes
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_brute_ratel_c4_w0
Create hunting rule
Author:Embee_Research @ Huntress
Rule name:win_Brute_Syscall_Hashes
Create hunting rule
Author:Embee_Research @ Huntress
Description:Detection of Brute Ratel Badger via api hashes of Nt* functions.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe fc6ddb1f7644597b84d14e3efa4cd1a1d1ad0083141b3fa2a613cd3c092f6505

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2254177/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1514315/
  
URLhaus
https://urlhaus.abuse.ch/url/2254175/
  
URLhaus
https://urlhaus.abuse.ch/url/265919/
  
URLhaus
https://urlhaus.abuse.ch/url/2254174/
  
URLhaus
https://urlhaus.abuse.ch/url/906880/
  
URLhaus
https://urlhaus.abuse.ch/url/1514098/
  
URLhaus
https://urlhaus.abuse.ch/url/2271066/
  
URLhaus
https://urlhaus.abuse.ch/url/1514297/
  
URLhaus
https://urlhaus.abuse.ch/url/2654454/
  
URLhaus
https://urlhaus.abuse.ch/url/1514313/
  
URLhaus
https://urlhaus.abuse.ch/url/2627575/
  
URLhaus
https://urlhaus.abuse.ch/url/2577943/
  
URLhaus
https://urlhaus.abuse.ch/url/2141170/
  
URLhaus
https://urlhaus.abuse.ch/url/1596393/
  
URLhaus
https://urlhaus.abuse.ch/url/2578024/
  
URLhaus
https://urlhaus.abuse.ch/url/2441296/
  
URLhaus
https://urlhaus.abuse.ch/url/2506772/
  
URLhaus
https://urlhaus.abuse.ch/url/2627573/
  
URLhaus
https://urlhaus.abuse.ch/url/2271067/
Cape
Cape
https://www.capesandbox.com/analysis/402580/

Comments