MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
SHA3-384 hash: 40e94bf50998e05698088062f20f3faa4922364faad583a177fffae22c57949f6661753a48a17de85ce431f842a03c08
SHA1 hash: 08fe2db2237fd72c31c9874c72334be2976cd327
MD5 hash: fec2ee34faa18878a5ab223d20f66c7a
humanhash: paris-louisiana-eighteen-hydrogen
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'897'181 bytes
First seen:2025-08-22 16:03:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 49152:x/Md5jRGEcBnQh/Rolhtosnje1R6uHm/HJzDF:xe5FUQh/6os61RmPVDF
Threatray 561 similar samples on MalwareBazaar
TLSH T10095330ACD95E539E71B1EF118F11AE19FCF8B5D1E66AB0F2B441A493ED93822D0D132
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 01030d1c35f2fb98 (1 x Rhadamanthys)
Reporter aachum
Tags:103-245-231-185 104-164-55-24 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://filedlx.store/?p=1085&enHash=idZ1gyfQEILd => https://mega.nz/file/DSAl3bJA#caBsMuOvQy9K5ldncIb2GSSg0E8k4kmDlRnHSHXVgQw

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 16:14:22 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/51757c16-1b6d-4d75-a6bf-ade075b7afa6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23035/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a895266eed937d746d1d91
Tags:
autoit emotet cobalt nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/68a895304a87ed7967686a0a/reports/0495467f-5a8a-4bdd-a7b7-fee81f6d42bb/overview
Verdict:
Malicious
Labled as:
Trojan_Win64_LummaStealer_rfn
Link:
https://www.hybrid-analysis.com/sample/01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T03:46:00Z UTC
Last seen:
2025-08-21T03:46:00Z UTC
Hits:
~100
Detections:
Backdoor.Agent.UDP.C&C HEUR:Trojan.Script.Generic HEUR:Backdoor.Win32.Agent.gen
Link:
https://opentip.kaspersky.com/01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/29821963-b4d8-41a6-8008-8b16e7f0356d
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763094
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Creates files with lurking names (e.g. Crack.exe)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763094 Sample: Setup.exe Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 35 pcHYBnfbJzryaHxAdh.pcHYBnfbJzryaHxAdh 2->35 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected RHADAMANTHYS Stealer 2->43 45 Sigma detected: Search for Antivirus process 2->45 9 Setup.exe 29 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->33 dropped 55 Creates files with lurking names (e.g. Crack.exe) 9->55 13 cmd.exe 1 9->13         started        signatures6 process7 signatures8 57 Detected CypherIt Packer 13->57 59 Drops PE files with a suspicious file extension 13->59 16 cmd.exe 4 13->16         started        19 conhost.exe 13->19         started        process9 file10 31 C:\Users\user\AppData\Local\...\Rivers.pif, PE32 16->31 dropped 21 Rivers.pif 16->21         started        25 extrac32.exe 19 16->25         started        27 tasklist.exe 1 16->27         started        29 3 other processes 16->29 process11 dnsIp12 37 103.245.231.185, 443, 49691 VECTANTARTERIANetworksCorporationJP Japan 21->37 39 104.164.55.24, 443, 49692 EGIHOSTINGUS United States 21->39 47 Query firmware table information (likely to detect VMs) 21->47 49 Checks if the current machine is a virtual machine (disk enumeration) 21->49 51 Switches to a custom stack to bypass stack traces 21->51 53 2 other signatures 21->53 signatures13
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/fec2ee34faa18878a5ab223d20f66c7a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 13:58:55 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
23 of 38 (60.53%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahjv7usq4fgq6o3fmkycbxatd3iaaowuy45thtn57w27goyl5s5a._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
357d4b04daafd9884d7aeb7d31ac6fe39bf1bb5a2f5f3f9aaf1b2e8e8cbe56c5
Rhadamanthys
5f0999dcc07ff99e7dac0e85ddaf79ea07995d86b4d3d7241a76172239c8d96c
Rhadamanthys
96326d92bed59281f2feec9ee694587890d900c06e96b69cb00b0499d7f7dd41
Rhadamanthys
abe1bcbfb945b632bfbf343cd60d20e6059db4fa63f13727cac9187337107e54
Rhadamanthys
c04dd81d3c618c5cb4b72b75fa8469618d525793b0378e043f7f63baa03f2604
Rhadamanthys
caa906d7f21d5fdec2934838c1ba96cc03ebea71f751adf120ef5edcc1596d4f
Rhadamanthys
da289d2f2f50cbef9f9d6034e1a32e331c1b309f49c2e1e5029ec154e721af4c
Rhadamanthys
dae19abbdce305a55825ac19771a5ae532ca33649a80fa0b4f2a0f0131fe0fdc
Rhadamanthys
error
Rhadamanthys
+ 551 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250822-tjd5dawqz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f22d69c2-894e-4b0d-b0cd-02289bccba37
Unpacked files
SH256 hash:
01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba
MD5 hash:
fec2ee34faa18878a5ab223d20f66c7a
SHA1 hash:
08fe2db2237fd72c31c9874c72334be2976cd327
Link:
https://www.unpac.me/results/9ff0f49b-9d52-47ac-b9f1-a8baa8c931d9/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/9ff0f49b-9d52-47ac-b9f1-a8baa8c931d9/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/9ff0f49b-9d52-47ac-b9f1-a8baa8c931d9/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/01d35fd250e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 01d35fd250e14d0f3b6562b020dc131ed0003ad4c73b33cdbdfdb5f33b0becba

(this sample)

  
Link
https://tria.ge/250822-s473hsap81/behavioral3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23035/

Comments