MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
SHA3-384 hash: 67a054afeb1b7040e7d313f1278cbf320af6b2a309eac73bbe2dcae1b5e526ef8d2e91934588419756f85153034d5ce3
SHA1 hash: c49e3c62a0f0365d2826013c779a356beb4a37fc
MD5 hash: 338d85ebfa0660b7b0757214679aa5c7
humanhash: yankee-lithium-maine-friend
File name:8BallPoolModMenu.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'669'628 bytes
First seen:2025-09-27 12:13:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 49152:I9d6qozQlxuxnL9lIQXl2yciWgtGednK9s7XRG6:I9d6bFxnLvSunus7o6
Threatray 104 similar samples on MalwareBazaar
TLSH T15D7533528694D4AFD17C3E71FCE0672154B72966412199EF4A9EE50CBC272E0AC3EBC3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8BallPoolModMenu.exe
Verdict:
Malicious activity
Analysis date:
2025-09-25 22:01:34 UTC
Tags:
lumma stealer autoit anti-evasion rhadamanthys
Link:
https://app.any.run/tasks/75c1d931-62f5-40ae-913b-91c8fac25851

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29244/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d7d4ea91dd51f6514f2516
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole infostealer installer invalid-signature microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68d7d4f1674d5fd6aa0e5e6f/reports/dce4909c-9451-4a46-a06f-c101c4e1a6ae/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-25T14:45:00Z UTC
Last seen:
2025-09-25T14:45:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Autoit.sb HEUR:Trojan.Script.AUO.gen HEUR:Trojan.Win32.Autoit.gen Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0864e2bb-875b-4247-a8c8-ffc6afed6e39
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785160
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Disable Windows Defender notifications (registry)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Sigma detected: Stop EventLog
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785160 Sample: 8BallPoolModMenu.exe Startdate: 27/09/2025 Architecture: WINDOWS Score: 100 118 x.ns.gin.ntt.net 2->118 120 ts1.aco.net 2->120 122 8 other IPs or domains 2->122 134 Antivirus detection for URL or domain 2->134 136 Antivirus detection for dropped file 2->136 138 Multi AV Scanner detection for dropped file 2->138 140 8 other signatures 2->140 14 8BallPoolModMenu.exe 29 2->14         started        17 svchost.exe 2->17         started        20 svchost.exe 2->20         started        22 9 other processes 2->22 signatures3 process4 file5 110 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 14->110 dropped 24 cmd.exe 1 14->24         started        132 Changes security center settings (notifications, updates, antivirus, firewall) 17->132 27 MpCmdRun.exe 17->27         started        29 WerFault.exe 20->29         started        31 Conhost.exe 22->31         started        signatures6 process7 signatures8 164 Drops PE files with a suspicious file extension 24->164 33 cmd.exe 4 24->33         started        36 conhost.exe 24->36         started        38 conhost.exe 27->38         started        process9 file10 98 C:\Users\user\AppData\Local\...\Lexus.scr, PE32+ 33->98 dropped 100 C:\Users\user\AppData\Local\Temp\708752\L, data 33->100 dropped 40 Lexus.scr 33->40         started        43 extrac32.exe 20 33->43         started        45 tasklist.exe 1 33->45         started        47 2 other processes 33->47 process11 signatures12 166 Hijacks the control flow in another process 40->166 168 Modifies the context of a thread in another process (thread injection) 40->168 170 Injects a PE file into a foreign processes 40->170 172 Found direct / indirect Syscall (likely to bypass EDR) 40->172 49 OpenWith.exe 5 40->49         started        process13 dnsIp14 112 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 49->112 114 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 49->114 116 9 other IPs or domains 49->116 102 C:\Users\user\AppData\Local\...\luv.exe, PE32+ 49->102 dropped 104 C:\Users\user\AppData\Local\...\LrBiYew.exe, PE32+ 49->104 dropped 142 Early bird code injection technique detected 49->142 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->144 146 Tries to steal Mail credentials (via file / registry access) 49->146 148 7 other signatures 49->148 54 luv.exe 49->54         started        58 LrBiYew.exe 49->58         started        60 chrome.exe 49->60         started        62 chrome.exe 49->62         started        file15 signatures16 process17 file18 106 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 54->106 dropped 150 Antivirus detection for dropped file 54->150 152 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 54->152 154 Query firmware table information (likely to detect VMs) 54->154 162 4 other signatures 54->162 64 powershell.exe 54->64         started        67 cmd.exe 54->67         started        69 sc.exe 54->69         started        76 10 other processes 54->76 108 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 58->108 dropped 156 Multi AV Scanner detection for dropped file 58->156 158 Queries memory information (via WMI often done to detect virtual machines) 58->158 160 Drops PE files with benign system names 58->160 71 chrome.exe 60->71         started        74 chrome.exe 60->74         started        signatures19 process20 dnsIp21 130 Loading BitLocker PowerShell Module 64->130 78 conhost.exe 64->78         started        80 WmiPrvSE.exe 64->80         started        82 net.exe 67->82         started        84 conhost.exe 67->84         started        86 conhost.exe 69->86         started        124 googlehosted.l.googleusercontent.com 142.250.217.225, 443, 49733 GOOGLEUS United States 71->124 126 127.0.0.1 unknown unknown 71->126 128 clients2.googleusercontent.com 71->128 88 conhost.exe 76->88         started        90 conhost.exe 76->90         started        92 conhost.exe 76->92         started        94 7 other processes 76->94 signatures22 process23 process24 96 net1.exe 82->96         started       
Score:
59%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/338d85ebfa0660b7b0757214679aa5c7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 20:27:28 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aj3yaz4qbl7avv2hqpeh47obmjd6pfy5ffa7knrsdyazftbsmfya._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
0d39cee98ccb7e1b971ba904ca00604866a90fe960b930df65e7d8fa8b1486ae
Rhadamanthys
2a7a217427edce6595cd2c43feeec73b251a7952b6c44a0e4e2c15a1f33ef7ad
Rhadamanthys
3cbaa80f0bd0f9bbe90f2f75c960137f0361a790038cf4e30651c6cfccf50340
Rhadamanthys
3d1beeddf32e404cc69ec5a2293b60dc45b147eb7514c718c68b12c68ab13395
Rhadamanthys
4040d13f0ce5777ed8ed26bfbd2c6bdfbf2c4511b0aed0a8a3d624890e007042
Rhadamanthys
ccbcbf8d6399bce1f3df74c2e3f2919f2c343c646689ecffe3f773b68b1e04d2
Rhadamanthys
cf948755dcc804a8a313bab2cebe0adf0532cace5b8c29a0738b2fed6a2ece50
Rhadamanthys
d7db0d7dc30c23be46f202a33dcddea24f72754ef1ecf12b31680d85797e1b29
Rhadamanthys
e4963c3d7294036e8ca76a517e50c5d8962269dbb800f3699a9f15e17ad271f1
Rhadamanthys
error
Rhadamanthys
fd2c60745de2be092a0ba2e823434a118ddcaefe8d85eb60e94ea8eec61447b3
Rhadamanthys
+ 94 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250927-pd2ahabq9v/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e40c5ad3-b5e8-42d1-ba11-d1f55a1d7fb0
Unpacked files
SH256 hash:
02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
MD5 hash:
338d85ebfa0660b7b0757214679aa5c7
SHA1 hash:
c49e3c62a0f0365d2826013c779a356beb4a37fc
Link:
https://www.unpac.me/results/e32e0309-5b9d-4107-9ff5-90d8c1a0d44e/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/e32e0309-5b9d-4107-9ff5-90d8c1a0d44e/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/e32e0309-5b9d-4107-9ff5-90d8c1a0d44e/
SH256 hash:
b4162391dc38ed0d216b1ccfc2454d9ef93eea5db17236291cf2cb6603c722cc
MD5 hash:
e53fbbb02d7217b84a87715344d45b80
SHA1 hash:
ee3789cf05c60a78525be585c20697d33dea93db
Link:
https://www.unpac.me/results/e32e0309-5b9d-4107-9ff5-90d8c1a0d44e/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02778067900a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29244/

Comments