MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d
SHA3-384 hash: 5701d8766304863c3ac23607db0d7b3f7815939072fd759493f6b4338d66528aa007594854aa47f153f8908ce8af6b21
SHA1 hash: fb6df6068d143d4435e04509ad681eb9c07bc930
MD5 hash: ba3928b87a009dccc8522a52955a47f5
humanhash: earth-cat-carbon-orange
File name:installer.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:4'731'784 bytes
First seen:2025-08-13 14:33:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 979d4d3c19bd1d7e944b1ba868d6cce7 (24 x Rhadamanthys)
ssdeep 98304:cpX71UNur/DtdSIXhWcIayCWVbWnB7668BlsUwlchxYeFoxC6X:cpvgVynmlVw2mhCE
Threatray 4 similar samples on MalwareBazaar
TLSH T11B264CE1B58AB2DFD06A1A74E417DE42B46D53F649304C41EDA8B4FE5E73C8212C7E28
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter aachum
Tags:45-141-233-250 94-26-90-16 creations-tools exe Rhadamanthys


Avatar
iamaachum
https://creations.tools/creations-tools.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d.exe
Verdict:
Malicious activity
Analysis date:
2025-08-13 14:34:54 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/53cc95ad-74a5-403f-839a-c8a29183cfb6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21160/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689ca2752018ee52f0246de8
Tags:
vmdetect obfusc crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Searching for the window
Sending an HTTP GET request to an infection source
Creating a file
Creating a process from a recently created file
Running batch commands
Launching the process to interact with network services
Unauthorized injection to a system process
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm invalid-signature microsoft_visual_cc obfuscated obfuscated packed packed packer_detected signed themidawinlicense
Link:
https://www.filescan.io/uploads/689ca2812fbe0788fb1f17a2/reports/3fe09c3a-520c-4ca4-8459-566f1c8def55/overview
Verdict:
Malicious
Labled as:
Trojan.GM.Generic
Link:
https://www.hybrid-analysis.com/sample/01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d01d3fa0-bce1-49b4-a256-94ce568b378d
Result
Threat name:
Coinhive, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756130
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Downloads suspicious files via Chrome
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Coinhive miner
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1756130 Sample: installer.exe Startdate: 13/08/2025 Architecture: WINDOWS Score: 100 112 x.ns.gin.ntt.net 2->112 114 twc.trafficmanager.net 2->114 116 7 other IPs or domains 2->116 136 Found malware configuration 2->136 138 Antivirus detection for dropped file 2->138 140 Antivirus / Scanner detection for submitted sample 2->140 142 12 other signatures 2->142 12 installer.exe 2->12         started        15 msedge.exe 97 533 2->15         started        19 cmd.exe 2->19         started        21 4 other processes 2->21 signatures3 process4 dnsIp5 162 Query firmware table information (likely to detect VMs) 12->162 164 Found many strings related to Crypto-Wallets (likely being stolen) 12->164 166 Switches to a custom stack to bypass stack traces 12->166 168 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->168 23 OpenWith.exe 12->23         started        134 239.255.255.250 unknown Reserved 15->134 94 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 15->94 dropped 96 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 15->96 dropped 27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        35 conhost.exe 19->35         started        37 schtasks.exe 19->37         started        file6 signatures7 process8 dnsIp9 118 cloudflare-dns.com 104.16.248.249, 443, 49695, 49731 CLOUDFLARENETUS United States 23->118 120 nexus-cloud-360.com 45.141.233.250, 1888, 49696 ASDETUKhttpwwwheficedcomGB Bulgaria 23->120 148 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->148 150 Deletes itself after installation 23->150 152 Switches to a custom stack to bypass stack traces 23->152 39 dllhost.exe 8 23->39         started        122 13.107.253.40, 443, 49725, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->122 124 ln-0007.ln-dc-msedge.net 150.171.23.17, 443, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->124 126 10 other IPs or domains 27->126 signatures10 process11 dnsIp12 128 nexus-cloud-360.com 39->128 130 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 39->130 132 8 other IPs or domains 39->132 98 C:\Users\user\AppData\Local\...\r8D_W.exe, PE32 39->98 dropped 100 C:\Users\user\AppData\Local\...\19I.exe, PE32+ 39->100 dropped 154 System process connects to network (likely due to code injection or exploit) 39->154 156 Early bird code injection technique detected 39->156 158 Found many strings related to Crypto-Wallets (likely being stolen) 39->158 160 3 other signatures 39->160 44 19I.exe 39->44         started        48 wmprph.exe 39->48         started        50 r8D_W.exe 39->50         started        52 3 other processes 39->52 file13 signatures14 process15 file16 102 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 44->102 dropped 170 Antivirus detection for dropped file 44->170 172 Query firmware table information (likely to detect VMs) 44->172 174 Modifies windows update settings 44->174 180 3 other signatures 44->180 54 cmd.exe 44->54         started        57 powershell.exe 44->57         started        59 sc.exe 44->59         started        72 9 other processes 44->72 176 Writes to foreign memory regions 48->176 178 Allocates memory in foreign processes 48->178 104 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 50->104 dropped 61 cmd.exe 50->61         started        63 cmd.exe 50->63         started        65 chrome.exe 52->65         started        68 msedge.exe 52->68         started        70 chrome.exe 52->70         started        signatures17 process18 dnsIp19 144 Uses schtasks.exe or at.exe to add and modify task schedules 54->144 74 net.exe 54->74         started        76 conhost.exe 54->76         started        146 Loading BitLocker PowerShell Module 57->146 78 conhost.exe 57->78         started        80 WmiPrvSE.exe 57->80         started        82 conhost.exe 59->82         started        84 conhost.exe 61->84         started        86 schtasks.exe 61->86         started        88 2 other processes 63->88 106 192.168.2.5, 1888, 443, 49675 unknown unknown 65->106 108 googlehosted.l.googleusercontent.com 142.250.65.161, 443, 49708 GOOGLEUS United States 65->108 110 4 other IPs or domains 65->110 90 9 other processes 72->90 signatures20 process21 process22 92 net1.exe 74->92         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/ba3928b87a009dccc8522a52955a47f5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-13 14:34:25 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=agesaqnbtscgpt662l2curnf33bfaj6kq3gaolipny2engxdkkoq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
3857aac49d606c982a866f460de14a479c1482d672d1b17392555e69b8ff6dcd
Rhadamanthys
57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
Rhadamanthys
5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
Rhadamanthys
dfe1013bfd39f7c1baa4ecd418a04d602b8b02817c55a0376cbb963db42ab681
Rhadamanthys
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys defense_evasion discovery stealer themida trojan
Link:
https://tria.ge/reports/250813-rxlp9szjt5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8c0656f2-95c1-4e1c-8b66-4a6f2b73a66b
Unpacked files
SH256 hash:
01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d
MD5 hash:
ba3928b87a009dccc8522a52955a47f5
SHA1 hash:
fb6df6068d143d4435e04509ad681eb9c07bc930
Link:
https://www.unpac.me/results/fba7220f-62b5-40f3-8849-f6eff845ce4e/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/01892041a19c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 01892041a19c8467cfded2f42a45a5dec25027ca86cc072d0f6e34469ae3529d

(this sample)

  
Link
https://tria.ge/250813-rskbmsdk51/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21160/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments