MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751
SHA3-384 hash: e0993029ec0cfbc15c90ecd3eba5e2befe72e4de53b26dde928addef975a818031c1138edf9473ad01d2aaa496161cf7
SHA1 hash: f7aff1867b2170e6ff2cb4ac70fe8cefdb917b59
MD5 hash: d8b5f62eeebf2cab804d1c3bfabf4138
humanhash: pizza-carpet-nuts-double
File name:dm-Setup-v.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'625'362 bytes
First seen:2025-05-24 16:21:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:v0arBO0iD9cDWa7FBekVxk2nkDtZIyXP7NrDz1nXTuejubngb7MyAv/FtUW4/zG:vunSDWa3vWDtZJd31XTueWyMFTmzG
Threatray 740 similar samples on MalwareBazaar
TLSH T1B1282312DF827524A6DA41A70C8B86E65BF7F986334907EBAC7D901D4223681937FF31
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon fc8e9eb6b6929280 (1 x Rhadamanthys)
Reporter aachum
Tags:195-10-205-78 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://kto4r290425y08.cfd/mnllcontent-a8790d3757f350f457644df4ee76610f/dlc_6831e2b0b7a0f/?s=294&pg=0&q=Download => https://mega.nz/file/Qm0xiSBT#ZN8ifDTOahSWcM_t9uHKi4eZs7wKqIau9zf20lMAtaE

Intelligence

File Origin
# of uploads :
1
# of downloads :
582
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dm-Setup-v.exe
Verdict:
Malicious activity
Analysis date:
2025-05-24 16:48:53 UTC
Tags:
autoit stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/1b4468b8-e421-4c3a-acea-1a52c23f7b7f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6831f5ad4912a6b9dd4ce70c
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
blackhole installer invalid-signature microsoft_visual_cc overlay overlay packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/6831f2b1e336a33801ddb435/reports/09691605-fafa-4ec0-a99d-a1f23554273f/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1698531
Signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751
Gathering data
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-24 16:24:09 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
11 of 38 (28.95%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xkgv7yk7mgmj6zrsedtegovhn257nje24t3ajrpuzphlmzirk5iq._file
Verdict:
suspicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
1a7cac61ead291ca487dc64160cffd47bac9b1ae02a5a488c7b93d9376675844
Rhadamanthys
41bdfece677b729185dffb5019872bde455588b2d7c9c9981692298e86a47da0
Rhadamanthys
523aa6dde8a98cc96de0f7a33f4c8736e5c536f02ed4ad561c76fe246f67d0c3
Rhadamanthys
680a2a5bb871538c112b32d8fe2c4d4619a2517f2c8007b0fd9fd560d2f5becb
Rhadamanthys
ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751
Rhadamanthys
d28fb0737213a89d3afc456a8735eeea48209d4d5ef31f8ec71a2c1796c660a3
Rhadamanthys
e9919bf4c4c4420a88ae9ff7527b62047b785644a08c6a3bf9d6d9523e0d5f7e
Rhadamanthys
error
Rhadamanthys
+ 730 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250524-twexfagm9z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Checks computer location settings
Deletes itself
Executes dropped EXE
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba8d5fe15f61/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe ba8d5fe15f61989f663220e6433aa76ebbf6a49ae4f604c5f4cbceb665115751

(this sample)

  
Link
https://tria.ge/250524-s2j8nsfr7y/behavioral1
  
Delivery method
Distributed via web download

Comments