MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
SHA3-384 hash: 3bcbbdb0acf93dec02923b5b002924fa81b407a7910f039b7cbfaa45beddc0eb18764a0963a84b562a557ac1e3c70293
SHA1 hash: c3295211a4c09aabd905af5083927f824123e4cd
MD5 hash: cacc88221ee4244828b11b38fc16234c
humanhash: hydrogen-nitrogen-two-papa
File name:file.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'516'356 bytes
First seen:2025-07-22 16:12:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b4d0760d426c9138154c52a7dcc4339 (5 x Rhadamanthys, 5 x HijackLoader, 2 x SheetRAT)
ssdeep 98304:3xKDSJrwRHzSNVxjGlFi47+0zC1MT8SygcuzCnGY9I9aTsNGPA70YeHN+gc:3xK8rwRHzSNVxalr+IUZUtOsNGo/et+t
TLSH T111463319E7E805FAE4A7E5BA8C174A12E7727C4507B18F4F13B4A65A2F132E09C3DB50
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
2025-07-22_cacc88221ee4244828b11b38fc16234c_black-basta_cobalt-strike_luca-stealer_satacom_vidar.exe
Verdict:
No threats detected
Analysis date:
2025-07-22 15:38:39 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/5d96162d-a659-40c4-9921-6cbd0bf4e975

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16375/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687fb07f2f623871a5f1ed75
Tags:
ransomware injection dropper
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug anti-vm base64 crossrider evasive expired-cert explorer fingerprint keylogger lolbin microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/687fb8697bc45bdee1b51887/reports/a08982ea-f5e6-41cf-882e-264def4f767f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9d37c1b0-c3bc-4eee-a973-06bf045940b3
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1742177
Signature
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1742177 Sample: file.exe Startdate: 22/07/2025 Architecture: WINDOWS Score: 100 69 cloudflare-dns.com 2->69 87 Found malware configuration 2->87 89 Multi AV Scanner detection for dropped file 2->89 91 Multi AV Scanner detection for submitted file 2->91 93 3 other signatures 2->93 11 file.exe 28 2->11         started        14 ReflectorBandwi64.exe 5 2->14         started        signatures3 process4 file5 59 C:\Users\user\AppData\Local\...\cdid3.dll, PE32 11->59 dropped 61 C:\Users\user\AppData\Local\...\WsBurn.dll, PE32 11->61 dropped 63 C:\Users\user\AppData\Local\...\WS_Log.dll, PE32 11->63 dropped 67 11 other malicious files 11->67 dropped 17 ReflectorBandwi64.exe 18 11->17         started        65 C:\Users\user\AppData\Local\...\27B6D12.tmp, PE32 14->65 dropped 107 Maps a DLL or memory area into another process 14->107 109 Found direct / indirect Syscall (likely to bypass EDR) 14->109 21 AlphaD.exe 14->21         started        23 XPFix.exe 14->23         started        signatures6 process7 file8 45 C:\ProgramData\...\ReflectorBandwi64.exe, PE32 17->45 dropped 47 C:\ProgramData\OQLvalidate\cdid3.dll, PE32 17->47 dropped 49 C:\ProgramData\OQLvalidate\WsBurn.dll, PE32 17->49 dropped 51 11 other files (none is malicious) 17->51 dropped 83 Switches to a custom stack to bypass stack traces 17->83 25 ReflectorBandwi64.exe 7 17->25         started        85 Found direct / indirect Syscall (likely to bypass EDR) 21->85 29 OpenWith.exe 21->29         started        signatures9 process10 dnsIp11 53 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 25->53 dropped 55 C:\Users\user\AppData\Local\...\FB34943.tmp, PE32 25->55 dropped 57 C:\ProgramData\AlphaD.exe, PE32 25->57 dropped 99 Found hidden mapped module (file has been removed from disk) 25->99 101 Maps a DLL or memory area into another process 25->101 103 Switches to a custom stack to bypass stack traces 25->103 105 Found direct / indirect Syscall (likely to bypass EDR) 25->105 32 AlphaD.exe 25->32         started        35 XPFix.exe 2 25->35         started        75 api.polomarcosk.top 29->75 77 104.16.249.249, 443, 49724 CLOUDFLARENETUS United States 29->77 37 WerFault.exe 4 29->37         started        file12 signatures13 process14 signatures15 79 Switches to a custom stack to bypass stack traces 32->79 81 Found direct / indirect Syscall (likely to bypass EDR) 32->81 39 OpenWith.exe 32->39         started        process16 dnsIp17 71 api.polomarcosk.top 195.2.93.221, 443, 49723, 49725 VDSINA-ASRU Russian Federation 39->71 73 cloudflare-dns.com 104.16.248.249, 443, 49722 CLOUDFLARENETUS United States 39->73 95 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->95 97 Switches to a custom stack to bypass stack traces 39->97 43 WerFault.exe 2 39->43         started        signatures18 process19
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/cacc88221ee4244828b11b38fc16234c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e/
Verdict:
Malicious
Threat:
Trojan.Win32.Penguish
Link:
https://tip.neiki.dev/file/068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
Threat name:
Win64.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-07-22 08:45:57 UTC
File Type:
PE+ (Exe)
Extracted files:
161
AV detection:
16 of 24 (66.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2gowkaa442pvajrhphlpv2f7v5chdiytuee545fqwkq5wmmnmxa._file
Verdict:
suspicious
Label(s):
r77rootkit
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250722-tnnjlsxsgx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fc2ed453-7812-45db-bda6-47c39c0a90d7
Unpacked files
SH256 hash:
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
MD5 hash:
cacc88221ee4244828b11b38fc16234c
SHA1 hash:
c3295211a4c09aabd905af5083927f824123e4cd
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
12b9a086e988c7899c2f24cc6ae0c9b9b5c95e6c5b545c15586f9ad4425f4eef
MD5 hash:
f420037d048e9fb65f62f2daca9e8dfb
SHA1 hash:
ba9091d6bb30bdeec2e5186aeaa9b33fa17602f6
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
15c4860f2e0530bc896f9b07f893b32b13cffe40c909293b6232bd5696a5f71a
MD5 hash:
77bffd6a7270bf001aaba999de8394f9
SHA1 hash:
132a1823392596f9748667b67f4aaef709b335c1
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
340d84a0bfd03dc58dcfe7c06f655df2a99285627fb36e209c5fadc1710ff0f9
MD5 hash:
cde18404f6df8f6eb225f5f4d0f3d1d8
SHA1 hash:
7c5b6cf5ff412b46f671ad214885c65e2218655e
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
4b33ee0e8a4153c0c8ccd945adb18d8f91b5b824746a15986bf6781f081f9968
MD5 hash:
27d48c6c48d5259a4e2ad7be369ce906
SHA1 hash:
66ea6266024a66826a9dd57a1420b8ce6fd13b0c
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
58ef42507d9fc1e8a7b240ef5cddc9f600c3d9a61ee6a42a4045278bb332b86a
MD5 hash:
23b3a972dc6e25581b6fa9e01bafc375
SHA1 hash:
39b54451f58d16cc76f875c137d72c2fe93bb3af
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
5a6f2f8eb9ac9e2f88a68026bea3e5bd764e145e47a54c82b76f706398704536
MD5 hash:
1ff3d2ba9ea433e0f601fa964cd24f25
SHA1 hash:
c37921dbf4ebe6737c737b8d3314ec787cde73ff
Detections:
win_samsam_auto
Create hunting rule
win_get2_a0
Create hunting rule
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
6036be1c9a8819998ad10879dff6c04edc787d34a142a3e0841c0fca36fb9c6e
MD5 hash:
7c76e3100bd67c47f176a0edde3ef79a
SHA1 hash:
bff22f39f3ba61cddd695b8a27b5139c5675afba
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
8fcae9719a3f831cb73ef50b587a6222ff73d6c1a6ae617636cb31c6e02d5e3a
MD5 hash:
c6328e8342538b7e2502b752e5cb1e28
SHA1 hash:
fdbb116ce30ea6a0a61fd0e36084dfb26e683b22
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
SH256 hash:
e841fe9fa09ddc4292f22db95cb2d348d8f37594513f5848d545db92e3b07c66
MD5 hash:
c63b86e4e9290bf304e86e03c8a1f235
SHA1 hash:
6d75607cf590ae4d65b79ffab3f9f4f56700b932
Detections:
win_samsam_auto
Create hunting rule
Link:
https://www.unpac.me/results/ced6b9c5-33f4-49a7-a25e-de1b60b0545e/
Parent samples :
7ca039965c09bbfeaec88bfb409deed86c93dd980823ee686e924e42ee211e89
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
8c14a08d112b1d4ff732a8d5496dcc4296b744909e335703518f414fe5e99f6f
907f5339415509568af0e01da37534ccd36f88f563e8cbdbacc01d84bcb21045
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16375/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetSystemDirectoryW

Comments