MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
SHA3-384 hash: fa8e961f14d1663754feb9aebdde1317e8444db8caecd7e0403c0b5d39f7dbf188923478e03131bec67c7ebda3a3dbf9
SHA1 hash: df3f17c6765202b67d5d622453baacd7d31a9e02
MD5 hash: b48d38328175e58f8b6109f4748cac6c
humanhash: eight-bulldog-green-cold
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:4'869'512 bytes
First seen:2025-07-21 19:01:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f811af01ac6c2789aa091e7bc9b7b43a (18 x Rhadamanthys, 1 x CoinMiner)
ssdeep 98304:vf4QEJVDwgouShSBkaMQNFWCDwpLC2Lq5Rlu:Iu2jtw
TLSH T1F8364AA1798DB6DFD28F1DBC9D5BCE03A42E07F585204C02E85D7C7BAE52D8222C9D58
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
26
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 19:01:05 UTC
Tags:
themida rhadamanthys shellcode
Link:
https://app.any.run/tasks/4871a852-07e9-400a-b33e-9eb064e22bb5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16162/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e8e722f623871a5f1707a
Tags:
vmdetect obfusc crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
Unauthorized injection to a system process
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a247b7a9-3aa8-4ca1-a957-74bb0c8ebb3b
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741555
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741555 Sample: Setup.exe Startdate: 21/07/2025 Architecture: WINDOWS Score: 100 97 x.ns.gin.ntt.net 2->97 99 twc.trafficmanager.net 2->99 101 8 other IPs or domains 2->101 131 Suricata IDS alerts for network traffic 2->131 133 Antivirus / Scanner detection for submitted sample 2->133 135 Multi AV Scanner detection for submitted file 2->135 137 9 other signatures 2->137 12 Setup.exe 2->12         started        15 msedge.exe 2->15         started        18 svchost.exe 2->18         started        20 8 other processes 2->20 signatures3 process4 dnsIp5 157 Query firmware table information (likely to detect VMs) 12->157 159 Switches to a custom stack to bypass stack traces 12->159 161 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->161 22 OpenWith.exe 12->22         started        129 239.255.255.250 unknown Reserved 15->129 163 Maps a DLL or memory area into another process 15->163 26 msedge.exe 15->26         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        34 3 other processes 15->34 165 Changes security center settings (notifications, updates, antivirus, firewall) 18->165 32 MpCmdRun.exe 1 18->32         started        signatures6 process7 dnsIp8 109 185.232.205.186, 49696, 49727, 49728 SOLTIAES Spain 22->109 111 cloudflare-dns.com 104.16.249.249, 443, 49695 CLOUDFLARENETUS United States 22->111 113 vault-360-nexus.com 22->113 149 Query firmware table information (likely to detect VMs) 22->149 151 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->151 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->153 155 4 other signatures 22->155 36 OpenWith.exe 8 22->36         started        115 192.168.2.6, 4233, 443, 49682 unknown unknown 26->115 117 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49716, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->117 119 8 other IPs or domains 26->119 41 conhost.exe 32->41         started        signatures9 process10 dnsIp11 103 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 36->103 105 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 36->105 107 6 other IPs or domains 36->107 91 C:\Users\user\AppData\Local\...\dIbK.exe, PE32+ 36->91 dropped 93 C:\Users\user\AppData\Local\...\Wu2-_.exe, PE32 36->93 dropped 141 Early bird code injection technique detected 36->141 143 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 36->143 145 Tries to steal Mail credentials (via file / registry access) 36->145 147 7 other signatures 36->147 43 dIbK.exe 36->43         started        47 wmprph.exe 36->47         started        49 chrome.exe 1 36->49         started        51 2 other processes 36->51 file12 signatures13 process14 file15 95 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 43->95 dropped 167 Query firmware table information (likely to detect VMs) 43->167 169 Modifies windows update settings 43->169 171 Adds a directory exclusion to Windows Defender 43->171 179 2 other signatures 43->179 53 powershell.exe 43->53         started        56 cmd.exe 43->56         started        58 sc.exe 43->58         started        69 6 other processes 43->69 173 Writes to foreign memory regions 47->173 175 Allocates memory in foreign processes 47->175 60 dllhost.exe 47->60         started        177 Found many strings related to Crypto-Wallets (likely being stolen) 49->177 63 chrome.exe 49->63         started        65 chrome.exe 49->65         started        67 msedge.exe 51->67         started        signatures16 process17 dnsIp18 139 Loading BitLocker PowerShell Module 53->139 71 conhost.exe 53->71         started        73 WmiPrvSE.exe 53->73         started        75 net.exe 56->75         started        77 conhost.exe 56->77         started        79 conhost.exe 58->79         started        121 213.209.150.143, 4233, 49733 KEMINETAL Germany 60->121 123 googlehosted.l.googleusercontent.com 142.250.65.193, 443, 49707, 49708 GOOGLEUS United States 63->123 125 127.0.0.1 unknown unknown 63->125 127 clients2.googleusercontent.com 63->127 81 conhost.exe 69->81         started        83 conhost.exe 69->83         started        85 conhost.exe 69->85         started        87 3 other processes 69->87 signatures19 process20 process21 89 net1.exe 75->89         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/b48d38328175e58f8b6109f4748cac6c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784/
Verdict:
Malicious
Threat:
Trojan.Win32.Strab
Link:
https://tip.neiki.dev/file/17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-21 19:01:07 UTC
File Type:
PE (Exe)
AV detection:
26 of 36 (72.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=c4khvfho45s3urpgmfhcdfc5p4wz4ebaekgssu7nblajdxydy6ca._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys defense_evasion discovery stealer themida trojan
Link:
https://tria.ge/reports/250721-xpfryayrt3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/975d5a8a-8ebb-45a0-b902-b52651ce4a43
Unpacked files
SH256 hash:
17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
MD5 hash:
b48d38328175e58f8b6109f4748cac6c
SHA1 hash:
df3f17c6765202b67d5d622453baacd7d31a9e02
Link:
https://www.unpac.me/results/1295eff7-58a5-4779-86c5-69da95b9b81e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16162/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh

Comments