MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 3 File information Comments

SHA256 hash:	ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071
SHA3-384 hash:	91079b4955b351a3b6730e79faa836a8b50beccaf443f687bef3626480725513fcda71cb67c4062e6803eb3c169bd9e4
SHA1 hash:	516812f265f8b3ce1af787bfa1dd1bfeb426e2cd
MD5 hash:	d0a8e9383b3e36dee5f9222f827c7615
humanhash:	beryllium-lemon-bulldog-nuts
File name:	d0a8e9383b3e36dee5f9222f827c7615.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	263'680 bytes
First seen:	2023-04-03 12:38:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	93af49a7eb518a2e0b7bbbb909dbb2f4 (2 x Stop, 2 x DanaBot, 1 x Smoke Loader)
ssdeep	3072:tHYBEo83Gk/hdEdqaensiWFwV2JVZWmDNncsW5fkD2/O9iT1QPS5/8QS:6KP2g+0eFzVDZ+Six8
Threatray	442 similar samples on MalwareBazaar
TLSH	T1A744E1A07BA2C4B1D81785787822D7B0663FF8719FA1C68F33981B7E1D702D15A76226
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	0094544763330301 (1 x Rhadamanthys)
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

244

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

d0a8e9383b3e36dee5f9222f827c7615.exe

Verdict:

Malicious activity

Analysis date:

2023-04-03 12:52:13 UTC

Tags:

rhadamanthys

Link:

https://app.any.run/tasks/933c5c49-6eb3-4f42-8bfe-19d6db46fa8f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Rhadamanthys

Link:

https://www.capesandbox.com/analysis/379667/

Detection(s):

Sanesecurity.Malware.29066.BadIN.UNOFFICIAL

Win.Packer.pkr_ce1a-9980177-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Sending an HTTP GET request

Launching a process

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Reading critical registry keys

Searching for the window

Unauthorized injection to a system process

Stealing user critical data

Sending an HTTP GET request to an infection source

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://dragonfly.certego.net/analysis/76320/overview

Behaviour

MalwareBazaar

MeasuringTime

SystemUptime

CPUID_Instruction

EvasionQueryPerformanceCounter

EvasionGetTickCount

CheckCmdLine

Verdict:

Suspicious

Threat level:

5/10

Confidence:

75%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/642ac8edd1b7f0d264f9f031/reports/a5919f4b-33a7-4e43-b878-c3eb241b779e/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Malicious Packer

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/52a5f04b-1043-45d8-8e66-2aba4ebcffca

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

rans.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1207341

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contain functionality to detect virtual machines

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found many strings related to Crypto-Wallets (likely being stolen)

Found potential ransomware demand text

Hides threads from debuggers

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Searches for specific processes (likely to inject)

Snort IDS alert for network traffic

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Writes to foreign memory regions

Yara detected AntiVM3

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Malicious

First seen:

2023-04-03 08:22:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=75ia2ynehyjv6cz4ushizhtwbzwqr7ant7e3g2xhpeg4fw73ubyq._file

Verdict:

malicious

Rhadamanthys

399bc631edb3875dab6c101d3ecc1cca2d92a188dd365714e726f6c5ce9c5582

Rhadamanthys

4099b352c15d6191c8d98a823c9b95b58baa2bc1c308f06e6697562cd21c339f

Rhadamanthys

419600d0508516026569e661e54e5e7a5d17d47d18cb8f427932bd728d9bc743

Rhadamanthys

5ef8e0030564b34c5dc795e3875137b95dcd08d2866797a0a0d18569e9078b26

Rhadamanthys

7aadc76471387981789a8aa1d2c34ed48b79f84febe3160feea5f32c4aaaceb7

Rhadamanthys

b1350d4785b6b3c87ff90e62b03cd4863426c36b92340bc09996bef7a4d8750c

Rhadamanthys

+ 432 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys collection stealer

Link:

https://tria.ge/reports/230403-pvnqqsef98/

Behaviour

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of NtSetInformationThreadHideFromDebugger

Accesses Microsoft Outlook profiles

Detect rhadamanthys stealer shellcode

Rhadamanthys

Unpacked files

SH256 hash:

879e00131fef015ee76a82bd8eb05543fa6a82276c08ef0c4035630952827de1

MD5 hash:

42340e853adbf922e185e3b82077bef1

SHA1 hash:

73dba5b14df609e9afc2b93dfc14f72eba683bbf

Link:

https://www.unpac.me/results/171fe031-6294-4e20-bd24-b565a8623f31/

SH256 hash:

ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071

MD5 hash:

d0a8e9383b3e36dee5f9222f827c7615

SHA1 hash:

516812f265f8b3ce1af787bfa1dd1bfeb426e2cd

Link:

https://www.unpac.me/results/171fe031-6294-4e20-bd24-b565a8623f31/

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ff500d61a43e/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ff500d61a43e135f0b3ca48e8c9e760e6d08fc0d9fc9b36ae7790dc2dbfba071

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pdb_YARAify Create hunting rule
Author:	@wowabiy314
Description:	PDB

Rule name:	Suspicious_Macro_Presence Create hunting rule
Author:	Mehmet Ali Kerimoglu (CYB3RMX)
Description:	This rule detects common malicious/suspicious implementations.