MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b
SHA3-384 hash: ecc501a8d90ad0a6428e13acde96b335338eacf9fafb570cd572a1dcdf50e1595aa95bb322690d6a3951744751bfc8a5
SHA1 hash: a31248df6c73d4b7e0749f55aa1246c8483ac22c
MD5 hash: 37bf3cb130f4da2ee296ecddd67e84af
humanhash: beer-sodium-batman-arkansas
File name:SecuriteInfo.com.IL.Trojan.MSILZilla.210289.27490.18919
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'492'928 bytes
First seen:2025-08-07 16:16:34 UTC
Last seen:2025-08-07 17:16:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 24576:gIGEj4kKEja1mwP9GZLKkleuCBswXaIPy6NRNu6EqRQc/CenuGQmaDYPIaJLr7DS:P4kKx1mqaKkIjBswKUy6BD/NuDcHjTu
Threatray 3 similar samples on MalwareBazaar
TLSH T196B53A342AEFA02DF137AF795BD4359BDB6EB673370AA85D1091034B0A12E41DEC153A
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon 631cf3c68b33e3e6 (2 x Rhadamanthys, 2 x DarkTortilla, 2 x LummaStealer)
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
57
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
C7FC0C2DB7EB95AB6FBB81515E4AF24C.exe
Verdict:
Malicious activity
Analysis date:
2025-08-07 15:38:47 UTC
Tags:
lumma stealer amadey botnet loader auto-reg rdp arch-exec gcleaner auto-startup purecrypter dcrat rat remote darkcrystal telegram stealc vidar autoit auto generic
Link:
https://app.any.run/tasks/dd8d0956-8031-4b17-8762-0a30c241b87d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Lumma
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19517/
Detection(s):
SecuriteInfo.com.IL.Trojan.MSILZilla.210289.27490.18919.UNOFFICIAL
Create hunting rule

Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6894d19e11d7f9b979e66df5
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
base64 expand lolbin obfuscated obfuscated vbnet
Link:
https://www.filescan.io/uploads/6894d180397fd3ce6fa0fe03/reports/37935a09-2fcc-4169-a91b-179a31cf7060/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f9d35ecd-0644-434f-847f-54d7fad743e5
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b
Verdict:
inconclusive
YARA:
11 match(es)
Tags:
.Net Executable PE (Portable Executable) SOS: 0.55 Win 32 Exe x86
Link:
https://app.malva.re/file/37bf3cb130f4da2ee296ecddd67e84af
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-07 15:20:02 UTC
File Type:
PE (.Net Exe)
Extracted files:
102
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dehsce6w4kizfnxixbsnhh2ljdhgn3tqeishwwn52dgc2sz2t5vq._file
Verdict:
malicious
Label(s):
lummastealer
Create hunting rule
Similar samples:
13ec1ebc01f7d1829c38d6b987d1ad4f3883e90b5867941daa51e5a139cb9461
Rhadamanthys
190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b
Rhadamanthys
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:darktortilla family:lumma family:rhadamanthys crypter discovery loader stealer
Link:
https://tria.ge/reports/250807-trkbcsxry6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Darktortilla
Darktortilla family
Detects Darktortilla crypter.
Detects Rhadamanthys Payload
Lumma Stealer, LummaC
Lumma family
Rhadamanthys
Rhadamanthys family
Malware Config
C2 Extraction:
https://invertdbdi.top/xjit
https://mastwin.in/qsaz/api
https://ordinarniyvrach.ru/xiur/api
https://yamakrug.ru/lzka/api
https://vishneviyjazz.ru/neco/api
https://yrokistorii.ru/uqya/api
https://stolewnica.ru/xjuf/api
https://visokiywkaf.ru/mmtn/api
https://kletkamozga.ru/iwyq/api
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9219dd30-eab0-4f7f-8c09-9262a0a906eb
Unpacked files
SH256 hash:
190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b
MD5 hash:
37bf3cb130f4da2ee296ecddd67e84af
SHA1 hash:
a31248df6c73d4b7e0749f55aa1246c8483ac22c
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
SH256 hash:
7ab14489ec0dceef91d13eed17e03aebc940ea7359dc3a8653934d85f184f06c
MD5 hash:
68eb0b65b52a9bc1ae5c92eae3b36a7b
SHA1 hash:
9040cc1b1469a9c722a17c927c32448e5c0d1ccb
Detections:
LummaStealer
Create hunting rule
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
SH256 hash:
b93bebd7f42919ccf2f07d84da350fd77d111485ed44391cbca6af70b50036bf
MD5 hash:
f78e095892191a48f2848f8372f65a87
SHA1 hash:
0fbad02a10028e049498ba8b11f49ac82c4214ae
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
SH256 hash:
fbfa53b0e87df7c6fb67d5ce04710e2ba397b94ae9a183bf1c5757f9a206bb0b
MD5 hash:
1bb2f9d034f5747a8e1c6e417d8c9226
SHA1 hash:
1820da400e47b4c8fe15c00917cdea9f3f3ad8e3
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
SH256 hash:
da4cb91d96214c7134a9e8799fdf241bd6b8103eecd4efb1b8c228ca3c8e7e91
MD5 hash:
9a06e083cd0531927dcd616b9b601ffa
SHA1 hash:
9584f7e1c8ab7be5900762abcaedf20cb92e4ae7
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
SH256 hash:
2cb5b8fbcd0994c8371837858c1f6dfe8e0de017e86437c7aee38d710209f10a
MD5 hash:
4f5880d558000b383fbb6efb21100997
SHA1 hash:
d2ceb9140d797b0f4db46a0a02c274e4fe89f349
Link:
https://www.unpac.me/results/3faa3118-8e30-4bc5-8779-66ba007e06f8/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/190f2113d6e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 190f2113d6e29192b6e8b864d39f4b48ce66ee7022247b59bdd0cc2d4b3a9f6b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3598717/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19517/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments