MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0
SHA3-384 hash: 5fa4ebbb7910a9175fc212c41ac91fcadbaf6f395107279c4c96b392dcc9ce2a8559e39081d83c57e03d48164033f779
SHA1 hash: 92e6a29a4404ccbbbe6948500becc64d233387f3
MD5 hash: 70b3b220d0dd147acaa8ff6381b2dd0a
humanhash: floor-mountain-shade-maine
File name:𝗦𝗘𝗧𝗨𝗣.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:94'384'481 bytes
First seen:2025-06-06 13:45:39 UTC
Last seen:2025-06-06 13:52:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 49152:DJzZNQ+e4vzx4oYv9N05zBbkTKL1AjZjU:DJdNQ+emebN05zr1yI
Threatray 315 similar samples on MalwareBazaar
TLSH T1A6288C72B32C71468D074EEAE6422F23371A1158D8337638F778C12FB1A86BD955E91E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 639081899091a999 (2 x Rhadamanthys)
Reporter aachum
Tags:45-153-34-237 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://waref.click/scan/?YNAYAhs?utm=1sLLiV => https://mega.nz/file/WUlVQYxa#d4fDDVU_8aSNI5B5Xbphl9n-qAno6fvlmAcWv3U8bnQ

Intelligence

File Origin
# of uploads :
2
# of downloads :
1'058
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
agenttesla
Create hunting rule
ID:
1
File name:
https://bazaar.abuse.ch/
Verdict:
Malicious activity
Analysis date:
2025-06-06 15:08:35 UTC
Tags:
arch-exec evasion stealer smtp exfiltration agenttesla netreactor purecrypter ftp autoit pureminer
Link:
https://app.any.run/tasks/321df3a4-bdb6-4e79-95c1-922f2b714ad2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6842f26607b5e8c1cfe5204a
Tags:
autoit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Labled as:
Malware_42.9
Link:
https://www.hybrid-analysis.com/sample/0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1708264
Signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708264 Sample: #Ud835#Udde6#Ud835#Uddd8#Ud... Startdate: 06/06/2025 Architecture: WINDOWS Score: 84 33 FJHWbVexXfRfQLrCbmOvcMqXzWna.FJHWbVexXfRfQLrCbmOvcMqXzWna 2->33 45 Multi AV Scanner detection for submitted file 2->45 47 Sigma detected: Search for Antivirus process 2->47 49 Joe Sandbox ML detected suspicious sample 2->49 10 #Ud835#Udde6#Ud835#Uddd8#Ud835#Udde7#Ud835#Udde8#Ud835#Udde3.exe 26 2->10         started        signatures3 process4 process5 12 cmd.exe 5 10->12         started        file6 31 C:\Users\user\AppData\Local\...\Penalty.com, PE32+ 12->31 dropped 55 Drops PE files with a suspicious file extension 12->55 16 Penalty.com 12->16         started        19 extrac32.exe 19 12->19         started        21 conhost.exe 12->21         started        23 6 other processes 12->23 signatures7 process8 signatures9 37 Hijacks the control flow in another process 16->37 39 Modifies the context of a thread in another process (thread injection) 16->39 41 Injects a PE file into a foreign processes 16->41 43 Found direct / indirect Syscall (likely to bypass EDR) 16->43 25 Penalty.com 16->25         started        process10 dnsIp11 35 45.153.34.237, 443, 49706 SKYLINKNL Germany 25->35 51 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->51 53 Found direct / indirect Syscall (likely to bypass EDR) 25->53 29 WerFault.exe 2 25->29         started        signatures12 process13
Score:
39%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0
Gathering data
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-06-06 11:20:59 UTC
File Type:
PE (Exe)
Extracted files:
25
AV detection:
9 of 24 (37.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bopyngb4yhym4mlyzud2d3sgd3fqnuh3pbrdmdu2rasnddhoytaa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0
Rhadamanthys
55842d20f60c8d785e77477ac2250557996ffee1cd8f5c335f01586cc204fb6c
Rhadamanthys
67912a6766533a444eed4d57ff14466fd08f17db4f43659853429c776c817c90
Rhadamanthys
79bcc71d9b8abfca0ba743a91ea8c0841c982d8d3c6c23bf676a13bb3f1bba91
Rhadamanthys
e6f1c380b0d3c7aa667af5bfeac43761b72c26e77b20ba9d8aebcf7affc92380
Rhadamanthys
e711519f57201d4a464f9af8109131173dd9f1ba9cad7fe94a6a1711037ba23f
Rhadamanthys
error
Rhadamanthys
+ 305 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250606-q2153svny6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Checks computer location settings
Deletes itself
Executes dropped EXE
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/237d71f9-a371-4efd-a649-5420f883d946
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/0b9f86983cc1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 0b9f86983cc1f0ce3178cd07a1ee461ecb06d0fb7862360e9a8824d18ceec4c0

(this sample)

  
Link
https://tria.ge/250606-qnae7sck71/behavioral1
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments