MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d
SHA3-384 hash: 3a2f4f776859496b331f8eb6c77ff50945b5addee02407cf7f59e6c1d345f55dcff6a97792245f3ba2d6f2cddb0b3535
SHA1 hash: 6e0c29983fded1af071a40c98dda83917bfb37a8
MD5 hash: cedaf1378f722ca2620a68ea351106b7
humanhash: bulldog-foxtrot-zebra-cup
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:650'240 bytes
First seen:2025-09-20 04:05:31 UTC
Last seen:2025-10-14 05:01:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash cbbf0c0e5419f1056e401b8955cb07c0 (3 x Rhadamanthys)
ssdeep 12288:84fXXC7qcveyDFFsJdNzOG1XeIBFrvJa8:8GXqqTyDTsTtOG1XeIBy
Threatray 402 similar samples on MalwareBazaar
TLSH T149D48C9EB53B0CEAC6DF96FB80358219F14778806581C62AE7D98427CD872D25F94B3C
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Rhadamanthys


Avatar
Bitsight
url: http://158.94.208.190/zuico.exe

Intelligence

File Origin
# of uploads :
77
# of downloads :
68
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fc90c14b807f5600be8a7ee6a7c94f6a900ba756521bb7249166c91e78d34599
Verdict:
Malicious activity
Analysis date:
2025-09-19 22:11:31 UTC
Tags:
auto-reg clipper diamotrix anti-evasion loader rhadamanthys
Link:
https://app.any.run/tasks/ef0ea3a5-61b4-41ea-8bf2-c5069055716f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28414/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.50046.11309.26921.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ce281e246a2631bd3172b0
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Connection attempt
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Launching a process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc unsafe
Link:
https://www.filescan.io/uploads/68ce2856390649f7a5f40944/reports/85baac8e-bde7-4879-930a-ecc1f5c9f9d1/overview
Verdict:
Malicious
Labled as:
Win64/Agent_AGeneric.FUP trojan
Link:
https://www.hybrid-analysis.com/sample/0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-19T16:21:00Z UTC
Last seen:
2025-09-19T16:21:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c4ac6c4a-866e-4be7-a5fe-3c4c2524c89e
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cedaf1378f722ca2620a68ea351106b7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d/
Threat name:
Win64.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 22:25:15 UTC
File Type:
PE+ (Exe)
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3n3mfijghbjocsupz6r7fcxz7abegkoszmdhbvlfoo47oh54roq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
5a68af44b9399b0bf6e41e5d60b994251dedb610c700dcfd81198b67a0518d0e
Rhadamanthys
629c324c37ac630713373e8f4573c5e0992e0a38f9b1e0b2fc6e6f7135ece39c
Rhadamanthys
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
Rhadamanthys
7adcc8466d2e071c926f0fdf9b5a601de304ef017df7d5cc0a1032b85783aad5
Rhadamanthys
984f14e5ffd9a1a2c5f6c1015b8b42cf2eab941e1bcccb2b176736b7ac8bebbb
Rhadamanthys
d99f5dd0397a316ee7d28af1e8f5e5c558cacf00d3d21b10ef8135c94c9e3034
Rhadamanthys
dc741d4bbde8bd12093efd37aac1d9aeb09242ebbfc745b2f44db2a47f3bca21
Rhadamanthys
error
Rhadamanthys
f37270779667751dd0ef109350f3c0e7f8c0bdc38354a4b9b381f04bdae7ec10
Rhadamanthys
fe7ba9fdcc449190123cc2c60ef77c04912c442a3c15ef2b88d26fe41c18c6a8
Rhadamanthys
+ 392 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/250920-en52bsywgt/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/580261dd-b3c2-4d3c-8a43-1421c10191dd
Unpacked files
SH256 hash:
0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d
MD5 hash:
cedaf1378f722ca2620a68ea351106b7
SHA1 hash:
6e0c29983fded1af071a40c98dda83917bfb37a8
Link:
https://www.unpac.me/results/2efd6254-6f45-4f64-913d-31823076cdcd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 0edbb6150931c2970a547e7d1f9457cfc012194e96583386ab2b9dcfb8fde45d

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3626813/
  
URLhaus
https://urlhaus.abuse.ch/url/3626810/
  
URLhaus
https://urlhaus.abuse.ch/url/3625949/
  
URLhaus
https://urlhaus.abuse.ch/url/3627482/
Cape
Cape
https://www.capesandbox.com/analysis/28414/

Comments