MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5
SHA3-384 hash: baf49d437de1d3ea33b4ddd9d0bb671bae8a254bf914115e3f2d235353d994b8f941e1a17c58a519b6d91e72081121e1
SHA1 hash: 23f2f43c2f1f489a3b6fdaae3153143edf14b493
MD5 hash: 5313cded67c38224e20f215e60584ed5
humanhash: december-lake-butter-shade
File name:📥 ⬅setup⬅ ⏭️.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:94'371'810 bytes
First seen:2025-08-22 15:59:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 49152:JIlZMETgLQ/OjSso1W5QfpyHft5AWqw2z:JIMCYQ/OjTHqByHft5mnz
Threatray 657 similar samples on MalwareBazaar
TLSH T1062812B35EB05BEEA19F99539F7770B8C73C01CA44800615AFB8EDA501D452A9BC337A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0000000000800000 (2 x Rhadamanthys)
Reporter aachum
Tags:45-153-34-238 45-153-34-241 45-153-34-26 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://urvdnkei.com/ => https://mega.nz/file/TLhkHQib#TTYn86yNS4N7rXYJzUX-kk-orCxbjqUVpt14KdTdh5Y

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c5ab42e3-e5c9-4bbf-baf3-0b91eb4c8fe3
Verdict:
Malicious activity
Analysis date:
2025-08-22 16:22:34 UTC
Tags:
autoit
Link:
https://app.any.run/tasks/c5ab42e3-e5c9-4bbf-baf3-0b91eb4c8fe3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a894956eed937d746d1a7b
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-21T12:57:00Z UTC
Last seen:
2025-08-21T12:57:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763098
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763098 Sample: #Ud83d#Udce5 #U2b05#Uff53#U... Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 37 pTEjPirggh.pTEjPirggh 2->37 45 Multi AV Scanner detection for submitted file 2->45 47 Yara detected RHADAMANTHYS Stealer 2->47 49 Sigma detected: Search for Antivirus process 2->49 51 Joe Sandbox ML detected suspicious sample 2->51 9 #Ud83d#Udce5 #U2b05#Uff53#Uff45#Uff54#Uff55#Uff50#U2b05 #U23ed#Ufe0f.exe 24 2->9         started        signatures3 process4 file5 33 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->33 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 61 Detected CypherIt Packer 12->61 63 Drops PE files with a suspicious file extension 12->63 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 35 C:\Users\user\AppData\Local\...\Bunch.pif, PE32 15->35 dropped 20 Bunch.pif 15->20         started        24 extrac32.exe 20 15->24         started        27 tasklist.exe 1 15->27         started        29 2 other processes 15->29 process10 dnsIp11 39 45.153.34.238, 443, 49693 SKYLINKNL Germany 20->39 41 45.153.34.241, 443, 49691 SKYLINKNL Germany 20->41 43 45.153.34.26, 443, 49692 SKYLINKNL Germany 20->43 53 Query firmware table information (likely to detect VMs) 20->53 55 Checks if the current machine is a virtual machine (disk enumeration) 20->55 57 Switches to a custom stack to bypass stack traces 20->57 59 2 other signatures 20->59 31 C:\Users\user\AppData\Local\Temp\Quizzes, DOS 24->31 dropped file12 signatures13
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5
Gathering data
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-08-21 21:12:01 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
16 of 38 (42.11%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=djncd4znotadxne32hgbdrywq7goglev5i5e2fsjcnliomhaplsq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
09d298dd2101780e9be313aba04301f5afcb854da5b741077ca69f7412446dd5
Rhadamanthys
16637168f9d85bb5abe9dbcd2586ee859fd2981e7ea173c031e0cf3bf0ee4da8
Rhadamanthys
1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5
Rhadamanthys
445c2b7e309849a87a14d0cc4973101a774dfaaccfb39956f5d7dd664709bbc0
Rhadamanthys
5867f7da4c20f501d2b31caf95a94695ee89cec694a3ad271524daca014c697a
Rhadamanthys
8fd8f4f0859bcd3a297e8824174dd66b62fe471f65d0c205a71d813092ea2dcd
Rhadamanthys
9578bb12bb4e8e02682d5debdaca71c7b8d74d1ffdaf5f00bc8e701b5b773dc7
Rhadamanthys
a18851ced5e3bd124b195adc3912018e634920a389927920adba8c171676ef96
Rhadamanthys
bd48a0e2b6038130537b279be3e89a7b7d41ee315a8b04c0d9af572d6c16a950
Rhadamanthys
error
Rhadamanthys
f1edf22002a14f6e9051114c1fe39e4d001fac227ac66789568d6cf958b104ea
Rhadamanthys
+ 647 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250822-tgeccsar4s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a5a21f32d74/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5

(this sample)

  
Link
https://tria.ge/250822-s4qhgavzcw/behavioral3
  
Delivery method
Distributed via web download

Comments