MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57
SHA3-384 hash: c59d95c59f416a873dea556b05661ad2813678d555dd6ced53ec850861391d34a8cf6da610681b9df243f1334291e927
SHA1 hash: dca86fcfa131a824ae0e85bbad38567c2b5b3feb
MD5 hash: 812ebc9897be48f84d2d287bdcb5410e
humanhash: green-beer-skylark-alaska
File name:Setup__en.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'625'834 bytes
First seen:2025-09-23 18:26:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 123 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:1YnNzTxjlLzvFXp5ULpm9CsoQ3lMhCwTlRM5SGeII4HjjcNml59qUEkRtuUPzY/X:+bjdpXIKQQURMc4DjlliUtRtuUE
Threatray 1'009 similar samples on MalwareBazaar
TLSH T1CB282B32A15CF76E3A2275E7F5B1AF00622AE86CF157C73EB702214C9B6D05790653CA
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:146-19-49-13 194-213-18-9 45-66-249-28 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://n14rr140825e7.cfd/mnllcontent-093147db0d269ab5e9ab6f242bb2f112/dlc_68d2e23c59717/?s=294&pg=0&q=Download =>https://mega.nz/file/fdUC1IKJ#mL3LQfxdAjG18r4HVxz2QDRx73r-gFAIIOcMmMvd3Oc

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup__en.exe
Verdict:
Malicious activity
Analysis date:
2025-09-23 18:28:23 UTC
Tags:
autoit anti-evasion stealer rhadamanthys
Link:
https://app.any.run/tasks/2cfca710-3ee1-49af-8664-a3d4ae611242

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d2e6cf47b7b54eb8819846
Tags:
autoit emotet cobalt spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc nsis overlay packed signed
Link:
https://www.filescan.io/uploads/68d2e682c24f53840f2f3531/reports/35d99f46-4952-4850-8669-0e6667187048/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-23T14:54:00Z UTC
Last seen:
2025-09-23T14:54:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1782823
Signature
AI detected suspicious PE digital signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1782823 Sample: Setup__en.exe Startdate: 23/09/2025 Architecture: WINDOWS Score: 88 34 IYUUYeIdeiZZJbwsrAlWaXcIq.IYUUYeIdeiZZJbwsrAlWaXcIq 2->34 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected RHADAMANTHYS Stealer 2->44 46 Sigma detected: Search for Antivirus process 2->46 48 2 other signatures 2->48 9 Setup__en.exe 27 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 56 Drops PE files with a suspicious file extension 12->56 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...\Specs.scr, PE32 15->32 dropped 20 Specs.scr 15->20         started        24 extrac32.exe 14 15->24         started        26 tasklist.exe 1 15->26         started        28 3 other processes 15->28 process10 dnsIp11 36 194.213.18.9, 443, 49696 HA-SDCGB United Kingdom 20->36 38 45.66.249.28, 443, 49693, 49697 FREERANGECLOUDCA Russian Federation 20->38 40 146.19.49.13, 443, 49695 FITC-ASUS France 20->40 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->50 52 Switches to a custom stack to bypass stack traces 20->52 54 Found direct / indirect Syscall (likely to bypass EDR) 20->54 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-23 18:32:35 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
16 of 38 (42.11%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aakrk7c32fi7dnnidid4zrklkg7zteyrkxa7mdhsvoxocukjljlq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
1e92ab886a0ff5ee8d3bee04bd395f109b35bd7528636a47aff437372e7da99d
Rhadamanthys
359e71de19d27bcf686a1b606e6c55a713e362bf9ce26cc1cae2960647cfe059
Rhadamanthys
41baba6a17762d76900b0f7e16d39735fcf1cb5842d9501bf58fbe07bff60356
Rhadamanthys
43c249dfb8ffd894491afd260e9ee0d134420aa3d39a352e117d14a3a7b7f4ed
Rhadamanthys
5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754
Rhadamanthys
654ef3d3358fce7ef7794491c00e0c124bea10db5a1e5307ca1c86fbde075d11
Rhadamanthys
6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef
Rhadamanthys
812b5d27763286c44297bbeab30ee5849d404c94011f583aaa582977e96a6874
Rhadamanthys
83526265682e2d299c8f8e3b0832ebdc18f29750bcc293fb104630afd84c0e5e
Rhadamanthys
e502ecef18931879c06a69026bfa96c0be0f24cac1769a55832056a3b51949f8
Rhadamanthys
error
Rhadamanthys
+ 999 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250923-w3wvmsek5v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8de82d02-939c-46ba-b222-f145c74d0d21
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0015157c5bd1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 0015157c5bd151f1b5a81a07ccc54b51bf99931155c1f60cf2abaee151495a57

(this sample)

  
Link
https://tria.ge/250923-ww2gjsej2v/behavioral2
  
Delivery method
Distributed via web download

Comments