MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
SHA3-384 hash: 21939cbffe88a5bab65aca5be5064074503f364b8b16a1535c36c815adc9cbcabc28c8aef8d6fbf5c55e1d5ab093163c
SHA1 hash: 56e048128130505bc5f4d64416bd4cc2b88b9e95
MD5 hash: 3ecdeae00e9901fbaa38d07422f312d7
humanhash: mountain-london-hot-nine
File name:SecuriteInfo.com.Trojan.PWS.Siggen3.40477.11725.16393
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'672'080 bytes
First seen:2025-05-24 20:32:22 UTC
Last seen:2025-05-24 21:23:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e31657ae953b7603f665b2d739aef753 (1 x Rhadamanthys)
ssdeep 49152:AChAbqsiqUrjR/a38xDv/+6svMVw7CJkA0OjUsauNwTg8PvjoXcSKg0d3KPC6Mf7:AiSZNuATgQoXcSt0dkXMfEZBTXMn
TLSH T1C906BE2AE2744AB8D0ABC67485929332DA707C510771A28F03C9D61A2F77D916F7F70B
TrID 43.1% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
17.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
10.9% (.EXE) Win64 Executable (generic) (10522/11/4)
10.3% (.EXE) DOS Borland compiled Executable (generic) (10000/1/2)
5.2% (.EXE) Win16 NE executable (generic) (5038/12/1)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
509
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
8OABL_random.exe
Verdict:
Malicious activity
Analysis date:
2025-05-24 19:41:45 UTC
Tags:
amadey botnet stealer loader themida rdp auto gcleaner lumma telegram autoit generic inno installer delphi
Link:
https://app.any.run/tasks/441a49b0-454f-4a31-a416-4e3f11c19401

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen3.40477.11725.16393.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68322e7544c3881e854cec67
Tags:
emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a file in the %temp% directory
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug enigma enigma fingerprint lolbin obfuscated overlay packed packed packed packer_detected remote
Link:
https://www.filescan.io/uploads/68322d1069bfbf6bbcb8ed74/reports/a381879b-8119-4be3-b73a-3f30701280c1/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/68e54782-fd79-428e-b78a-daf2ed8a7dba
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698583
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Potentially Suspicious Malware Callback Communication
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698583 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 24/05/2025 Architecture: WINDOWS Score: 100 61 x.ns.gin.ntt.net 2->61 63 twc.trafficmanager.net 2->63 65 5 other IPs or domains 2->65 91 Malicious sample detected (through community Yara rule) 2->91 93 Multi AV Scanner detection for submitted file 2->93 95 .NET source code contains potential unpacker 2->95 97 3 other signatures 2->97 10 SecuriteInfo.com.Trojan.PWS.Siggen3.40477.11725.16393.exe 3 2->10         started        14 msedge.exe 102 367 2->14         started        17 elevation_service.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 59 C:\Users\user\AppData\Local\Temp\evb9CD.tmp, PE32+ 10->59 dropped 115 Detected unpacking (creates a PE file in dynamic memory) 10->115 117 Detected unpacking (overwrites its own PE header) 10->117 119 Writes to foreign memory regions 10->119 121 3 other signatures 10->121 21 aspnet_wp.exe 10->21         started        25 conhost.exe 10->25         started        87 192.168.2.10, 123, 138, 443 unknown unknown 14->87 89 239.255.255.250 unknown Reserved 14->89 27 msedge.exe 14->27         started        29 msedge.exe 14->29         started        31 msedge.exe 14->31         started        33 msedge.exe 14->33         started        file6 signatures7 process8 dnsIp9 79 45.153.34.143, 4433, 49691, 49726 SKYLINKNL Germany 21->79 107 Switches to a custom stack to bypass stack traces 21->107 35 OpenWith.exe 6 21->35         started        39 WerFault.exe 2 21->39         started        81 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49711, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->81 83 ax-0002.ax-msedge.net 150.171.27.11, 443, 49709, 49715 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->83 85 4 other IPs or domains 27->85 signatures10 process11 dnsIp12 67 169.229.128.134, 123, 58452 UCBUS United States 35->67 69 ntp.time.nl 94.198.159.10, 123, 58452 SIDNNL Netherlands 35->69 71 5 other IPs or domains 35->71 99 Early bird code injection technique detected 35->99 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 35->101 103 Tries to steal Mail credentials (via file / registry access) 35->103 105 7 other signatures 35->105 41 wmpnscfg.exe 35->41         started        44 chrome.exe 35->44         started        46 msedge.exe 14 35->46         started        48 2 other processes 35->48 signatures13 process14 signatures15 109 Writes to foreign memory regions 41->109 111 Allocates memory in foreign processes 41->111 50 dllhost.exe 41->50         started        113 Found many strings related to Crypto-Wallets (likely being stolen) 44->113 52 chrome.exe 44->52         started        55 chrome.exe 44->55         started        57 msedge.exe 46->57         started        process16 dnsIp17 73 googlehosted.l.googleusercontent.com 142.250.101.132, 443, 49703, 49728 GOOGLEUS United States 52->73 75 127.0.0.1 unknown unknown 52->75 77 clients2.googleusercontent.com 52->77
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f/
Threat name:
Win64.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-05-24 20:07:14 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dy2chbmbtidakitliep6k5epowztv5r627kcymf7mgvtmhh2gehq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250524-zbxvea1pw3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Loads dropped DLL
Unpacked files
SH256 hash:
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
MD5 hash:
3ecdeae00e9901fbaa38d07422f312d7
SHA1 hash:
56e048128130505bc5f4d64416bd4cc2b88b9e95
Link:
https://www.unpac.me/results/370d906f-91ac-4757-a712-5dd40513bcd6/
SH256 hash:
bdf2db7ea07a1b23b4a0cf2c55755a79c50dc3370d138fbf11b373c709fe7e9d
MD5 hash:
487e7c080394357257152efa6034b16d
SHA1 hash:
96934707b166c7d21aae5d2c9a426f37640c7e47
Link:
https://www.unpac.me/results/370d906f-91ac-4757-a712-5dd40513bcd6/
SH256 hash:
d5ce0cb2d29c0eca77c317aa213e0f9347b6431221563947bf3abb28b56d9308
MD5 hash:
094cbff54efdcc357187c7184081b454
SHA1 hash:
d56eee69e6a72ddc104e8ea146c59ce899e3c3e0
Link:
https://www.unpac.me/results/370d906f-91ac-4757-a712-5dd40513bcd6/
SH256 hash:
8f70bdf24576461aec0ad89e3b8fdf6aa16ccbc08ec04348ab4b60404a36ce49
MD5 hash:
e4daa028707bf6a403decd4e67fff993
SHA1 hash:
707d765966b1479b8930744ba82a72738db8d786
Link:
https://www.unpac.me/results/370d906f-91ac-4757-a712-5dd40513bcd6/
SH256 hash:
95349cbb0ce9bd2bb939c04e611750eca5d1ac1b8baa53641c28c147a59dc725
MD5 hash:
95b2c0f892fe4c15ac1d4929bcb54df1
SHA1 hash:
b13abc14da4b7f1c0a8f5aacd98f0c6fb18873fd
Link:
https://www.unpac.me/results/370d906f-91ac-4757-a712-5dd40513bcd6/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1e342385819a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_EXE_Packed_Enigma
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Enigma
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3551842/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_TRUST_INFORequires Elevated Execution (uiAccess:None)high

Comments