MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 13 File information Comments

SHA256 hash:	e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e
SHA3-384 hash:	f4058d66c5c34a6b03de71f710dac5bddcad2fa58ec1e420c0d9f0946389c1945a600583d7d2c6c2c35916bfe8fe1b54
SHA1 hash:	8a0f6f9467636f911d40a2434e507acf878953e9
MD5 hash:	2c0572073c755922c2db3898bef23aa0
humanhash:	earth-fish-undress-papa
File name:	PGK2UP6K.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	3'901'125 bytes
First seen:	2025-05-31 17:22:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8507116e3d0e7e02e36e7dc5b8aa1af8 (7 x LummaStealer, 3 x ACRStealer, 3 x ValleyRAT)
ssdeep	49152:kWGtLBMXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYtJf2fpzjv46+:wtLutqgwh4NYxtJpkxhGj333TKUFjF0
Threatray	168 similar samples on MalwareBazaar
TLSH	T117066B17F28C713ED06B3A324A3386909837FA6169168C1797FC794C8F365942A3EB57
TrID	84.9% (.EXE) Inno Setup installer (107240/4/30) 8.3% (.EXE) Win64 Executable (generic) (10522/11/4) 3.5% (.EXE) Win32 Executable (generic) (4504/4/1) 1.5% (.EXE) Generic Win/DOS Executable (2002/3) 1.5% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter	aachum
Tags:	178-20-45-155 5-35-38-7 api-gameforlikaks-top dropped-by-RenPyLoader exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

400

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PGK2UP6K.exe

Verdict:

Malicious activity

Analysis date:

2025-05-31 17:25:23 UTC

Tags:

inno installer delphi stealer rhadamanthys shellcode

Link:

https://app.any.run/tasks/7a803d11-3e2e-44de-89b8-671073d7a934

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6540/

Detection(s):

SecuriteInfo.com.Win32.Malware-gen.4656.27389.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=683b3dabacf88f5815e9bc07

Tags:

phishing dropper obfusc crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Adding an access-denied ACE

Creating a window

Launching a process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

adaptive-context embarcadero_delphi expired-cert fingerprint installer invalid-signature keylogger overlay overlay packed packed packer_detected signed

Link:

https://www.filescan.io/uploads/683b3b0efd02ed5e0591bfcd/reports/85b86b4e-b76c-4a9e-8aa7-06b0a1ffaa9d/overview

Verdict:

Malicious

Labled as:

Loader.Ropalidia.N

Link:

https://www.hybrid-analysis.com/sample/e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/df5b38cb-bc6c-4d7c-8f57-0ba5c2b24c57

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/1703012

Signature

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

25%

Verdict:

Benign

File Type:

Link:

https://malprob.io/report/e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e/

Threat name:

Win32.Malware.Heuristic

Status:

Malicious

First seen:

2025-05-31 15:53:02 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

18 of 24 (75.00%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ajzt3x7sk3gat5rb6ibm32edlek2pdxrugr2vkdchggpsjhsixa._file

Verdict:

suspicious

Label(s):

rhadamanthys

Result

Malware family:

n/a

Score:

5/10

Tags:

discovery

Link:

https://tria.ge/reports/250531-vybs8sem6x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Program crash

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Verdict:

Informative

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/b2b3d7c8-0b0c-4e98-adea-dac39902c374

Unpacked files

SH256 hash:

e81399eeff92b6604fb10f90166f441ac8ad3c778d0d1d554311cc67c927922e

MD5 hash:

2c0572073c755922c2db3898bef23aa0

SHA1 hash:

8a0f6f9467636f911d40a2434e507acf878953e9

Link:

https://www.unpac.me/results/e1a39a23-15aa-434e-a43f-969769f9bf1b/

SH256 hash:

388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

MD5 hash:

e4211d6d009757c078a9fac7ff4f03d4

SHA1 hash:

019cd56ba687d39d12d4b13991c9a42ea6ba03da

Link:

https://www.unpac.me/results/e1a39a23-15aa-434e-a43f-969769f9bf1b/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/e81399eeff92/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Borland Create hunting rule
Author:	malware-lu

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Detect_PowerShell_Obfuscation Create hunting rule
Author:	daniyyell
Description:	Detects obfuscated PowerShell commands commonly used in malicious scripts.

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	RIPEMD160_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for RIPEMD-160 constants

Rule name:	SHA1_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA1 constants

Rule name:	SHA512_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for SHA384/SHA512 constants

Rule name:	shellcode Create hunting rule
Author:	nex
Description:	Matched shellcode byte patterns

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)