MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8
SHA3-384 hash: cd4000b7b956ebb7235466b29e3f04998b4f8f492c5d75ce8bed5e99c010c5e2172f3c2a632f8deed761ae5df598cf33
SHA1 hash: 7c205b888de4da3cbda69fd6ed99c5973de98e41
MD5 hash: a4a52244c3f8b83b049ad426cf41b1ef
humanhash: oklahoma-nineteen-oregon-thirteen
File name:setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:94'371'885 bytes
First seen:2025-07-30 00:02:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 123 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:VbB07bbr9qsQ7N7LaRmWs0/SoCzeWikqPuHTt++pv0bQ1PzGYSYHXKK19FiO:E7bsv7V63sAyzSjPm++pcb0PzGR471B
TLSH T16A282BB91615B64EC2DE49B4B3B1498C26172FBF60204FD7E606E056B3EF4087F6A931
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon cce6604dcddccce8 (1 x Rhadamanthys)
Reporter aachum
Tags:45-153-34-31 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://mytan.click/?file=x634YRw9bhdmtalUQDzqTMAI7n8S5e0p&ydbDkx1OXEGf4=oFTAcbPgs0kZ3nNEhKLMVU7vlBm6J8SCuzXyjfGxqp2QY4H => https://mega.nz/file/bNczgSpQ#i4bi-bl4ihpuIBuFRtFz8qayLH2UgfXXDrXX8JKeutQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
49
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-30 00:03:41 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/8f1859e7-ef04-415c-8a16-83200d55c401

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68896165af3050dc8d323d34
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/6889614ea16348d835f37031/reports/39661de9-97e0-4e25-b071-75a645c2f31e/overview
Verdict:
Malicious
Labled as:
StartPage.OVJ
Link:
https://www.hybrid-analysis.com/sample/16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1746816
Signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1746816 Sample: setup.exe Startdate: 30/07/2025 Architecture: WINDOWS Score: 76 34 CifwwyfvMPDKJSXpIwKzd.CifwwyfvMPDKJSXpIwKzd 2->34 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected RHADAMANTHYS Stealer 2->40 42 Sigma detected: Search for Antivirus process 2->42 9 setup.exe 26 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 48 Drops PE files with a suspicious file extension 12->48 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...behaviorgraphraphics.com, PE32 15->32 dropped 20 Graphics.com 15->20         started        24 extrac32.exe 13 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 36 45.153.34.31, 443, 49691, 49692 SKYLINKNL Germany 20->36 44 Switches to a custom stack to bypass stack traces 20->44 46 Found direct / indirect Syscall (likely to bypass EDR) 20->46 signatures12
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8
Gathering data
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-30 00:03:25 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=czrxc2hz3bn3lk7j3pgslbxoqwp5fga6p2qxhqbr4dhtx4hojwua._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250730-ab6d4stwbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b1ed021c-2043-4dc5-8d3f-b36b98d9d54d
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/16637168f9d8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8

(this sample)

  
Link
https://tria.ge/250729-3s228sfl5s/behavioral3
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments