Windows Analysis Report
1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe

Overview

General Information

Sample name: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
Analysis ID: 1526768
MD5: 6c1a9eaef729e651997fd85545f1a38b
SHA1: d0bb98dedb4a6c65551a23318ff9b2bda5fe2b81
SHA256: ac75ec2a674b32886feef62ace21882c133540bc2e1b383c816be0505aeee9b1
Tags: base64-decodedexeuser-abuse_ch
Infos:
Errors
  • No process behavior to analyse as no analysis process or sample was found
  • Corrupt sample or wrongly selected analyzer. Details: %1 is not a valid Win32 application.

Detection

RHADAMANTHYS
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected RHADAMANTHYS Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

Name Description Attribution Blogpost URLs Link
Rhadamanthys According to PCrisk, Rhadamanthys is a stealer-type malware, and as its name implies - it is designed to extract data from infected machines.At the time of writing, this malware is spread through malicious websites mirroring those of genuine software such as AnyDesk, Zoom, Notepad++, and others. Rhadamanthys is downloaded alongside the real program, thus diminishing immediate user suspicion. These sites were promoted through Google ads, which superseded the legitimate search results on the Google search user.
  • Sandworm
 https://malpedia.caad.fkie.fraunhofer.de/details/win.rhadamanthys

AV Detection
barindex
Found malware configuration
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Malware Configuration Extractor: Rhadamanthys {"C2 url": "https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea"}
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for sample
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea
PE file does not import any functions
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Binary or memory string: OriginalFilename4 vs 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe
Uses 32bit PE files
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal68.troj.winEXE@0/0@0/0
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe Static PE information: section name: .textbss

Stealing of Sensitive Information
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe, type: SAMPLE

Remote Access Functionality
barindex
Yara detected RHADAMANTHYS Stealer
Source: Yara match File source: 1728222450eb155389ccc383d8d4b2204b0f0f1c32a84b5f7f4de790f660bc9dccee7ace7b115.dat-decoded.exe, type: SAMPLE

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1526768 Sample: 1728222450eb155389ccc383d8d... Startdate: 06/10/2024 Architecture: WINDOWS Score: 68 5 Found malware configuration 2->5 7 Yara detected RHADAMANTHYS Stealer 2->7 9 C2 URLs / IPs found in malware configuration 2->9 11 2 other signatures 2->11
No contacted IP infos

Contacted Domains

Name IP Active
s-part-0017.t-0009.t-msedge.net 13.107.246.45 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://185.81.68.44:7321/17c455d90e497a/reoa6ddp.akkea true
    		unknown