MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


CoinMiner


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
SHA3-384 hash: e5ebc215ca6c315b2db6e22a1d389b26bca01727ae117b604e1b1a8cdcab5a18e99bbbfb9d7a71cb8869a5e104d3a6c6
SHA1 hash: 5536594474e478eaecb69010f4651b66ff372537
MD5 hash: 789a316022371eed5ae2b39525b84cc6
humanhash: nebraska-zebra-fillet-arizona
File name:Lumen.exe
Download: download sample
Signature CoinMiner
Create hunting rule
File size:1'609'765 bytes
First seen:2025-08-14 09:53:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:DgLpG6P1JeKIkNiiYTTt1G4QBBqiAdj9namml/E7Fl6fPGE4kVaicmv6h3k3r9wF:I+KIkNYT6DnEdT7Fl6fPpumv6hYwFH
Threatray 1'304 similar samples on MalwareBazaar
TLSH T1A47533887F6694BAF3A1267A39E0E127813F7E301CEEC60F57198DD41E304553C6A7A6
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 96bbababb57565bb (1 x CoinMiner)
Reporter burger
Tags:CoinMiner exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lumen.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 09:53:25 UTC
Tags:
auto-startup autoit rhadamanthys shellcode
Link:
https://app.any.run/tasks/c98a89fe-1d23-473a-ad2b-bdc50fa1ac36

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21308/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689db26531e468d93724b915
Tags:
autoit emotet cobalt nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Possible injection to a system process
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/689db2669ef4d2ff7cfcaa2c/reports/c402e103-3fa1-498d-949a-0131dae33d8f/overview
Verdict:
Malicious
Labled as:
StartPage.OVJ
Link:
https://www.hybrid-analysis.com/sample/21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/47276f8c-8eee-4e54-9afb-05efda4b67f8
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756758
Signature
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CypherIt Packer
Detected Stratum mining protocol
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1756758 Sample: Lumen.exe Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 105 nexus-cloud-360.com 2->105 107 www.google.com 2->107 109 22 other IPs or domains 2->109 153 Antivirus detection for dropped file 2->153 155 Multi AV Scanner detection for submitted file 2->155 157 Yara detected RHADAMANTHYS Stealer 2->157 159 6 other signatures 2->159 13 Lumen.exe 28 2->13         started        16 HermesKey.bat 2->16         started        18 svchost.exe 2->18         started        21 13 other processes 2->21 signatures3 process4 dnsIp5 103 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 13->103 dropped 24 cmd.exe 1 13->24         started        27 OpenWith.exe 16->27         started        30 WerFault.exe 16->30         started        149 Changes security center settings (notifications, updates, antivirus, firewall) 18->149 111 127.0.0.1 unknown unknown 21->111 113 239.255.255.250 unknown Reserved 21->113 32 msedge.exe 21->32         started        34 WerFault.exe 21->34         started        36 WerFault.exe 21->36         started        38 4 other processes 21->38 file6 signatures7 process8 dnsIp9 161 Detected CypherIt Packer 24->161 163 Drops PE files with a suspicious file extension 24->163 40 cmd.exe 4 24->40         started        43 conhost.exe 24->43         started        127 nexus-cloud-360.com 27->127 129 45.141.233.250, 1888, 49696 ASDETUKhttpwwwheficedcomGB Bulgaria 27->129 45 dllhost.exe 27->45         started        131 s-part-0012.t-0009.t-msedge.net 13.107.246.40 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->131 133 ln-0007.ln-msedge.net 150.171.22.17 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->133 135 8 other IPs or domains 32->135 signatures10 process11 dnsIp12 97 C:\Users\user\AppData\...\Requirements.pif, PE32 40->97 dropped 49 Requirements.pif 5 40->49         started        53 extrac32.exe 17 40->53         started        55 tasklist.exe 1 40->55         started        59 3 other processes 40->59 137 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 45->137 139 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 45->139 173 Early bird code injection technique detected 45->173 175 Tries to harvest and steal browser information (history, passwords, etc) 45->175 177 Maps a DLL or memory area into another process 45->177 57 chrome.exe 45->57         started        file13 signatures14 process15 file16 93 C:\Users\user\AppData\Local\...\HermesKey.bat, PE32 49->93 dropped 151 Switches to a custom stack to bypass stack traces 49->151 61 OpenWith.exe 49->61         started        65 cmd.exe 2 49->65         started        68 WerFault.exe 49->68         started        70 Conhost.exe 49->70         started        signatures17 process18 dnsIp19 141 nexus-cloud-360.com 61->141 143 185.141.216.120, 1888, 49694 GSWIFTTR Turkey 61->143 145 cloudflare-dns.com 104.16.248.249, 443, 49692, 49695 CLOUDFLARENETUS United States 61->145 179 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 61->179 181 Switches to a custom stack to bypass stack traces 61->181 72 dllhost.exe 61->72         started        95 C:\Users\user\AppData\...\HermesKey.url, MS 65->95 dropped 77 conhost.exe 65->77         started        file20 signatures21 process22 dnsIp23 121 nexus-cloud-360.com 72->121 123 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 72->123 125 8 other IPs or domains 72->125 99 C:\Users\user\AppData\Local\...\RyxFh3PV.exe, PE32 72->99 dropped 101 C:\Users\user\AppData\Local\...\5Sy)]t.exe, PE32+ 72->101 dropped 165 System process connects to network (likely due to code injection or exploit) 72->165 167 Early bird code injection technique detected 72->167 169 Maps a DLL or memory area into another process 72->169 171 Queues an APC in another process (thread injection) 72->171 79 chrome.exe 72->79         started        82 msedge.exe 72->82         started        84 chrome.exe 72->84         started        file24 signatures25 process26 dnsIp27 147 192.168.2.7, 1888, 443, 49682 unknown unknown 79->147 86 chrome.exe 79->86         started        89 chrome.exe 79->89         started        91 msedge.exe 82->91         started        process28 dnsIp29 115 googlehosted.l.googleusercontent.com 142.250.80.97 GOOGLEUS United States 86->115 117 192.168.2.14 unknown unknown 86->117 119 clients2.googleusercontent.com 86->119
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable)
Link:
https://app.malva.re/file/789a316022371eed5ae2b39525b84cc6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-08-14 09:53:26 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
15 of 23 (65.22%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eguvsrzgop3keg7yj5m5bvzefagoppb6lq4rmxx5pfwh4qu74kqq._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
0d9beb40b14a956556ef97cfa2ac410ec8c7509d35dbd2d050effc8c092e6de9
CoinMiner
27a03db1d81c43e4841b70ac590b3d7d6550b1a578f0edd99fbbf164a748390f
CoinMiner
2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3
CoinMiner
52f3ef0a1a09634bce792ea5eab5f7b5d87352b9eb39b6164b6a3071fbd4d887
CoinMiner
5374a2f7e32309d5024c3f57123c984c22b99090c9b46a777fc928d60048d43a
CoinMiner
97740aaf2ebfb2699aded110694ea7522c2c52cb6679d82f929d23d2626e11ef
CoinMiner
a32d41b6bf52471d9ba1a01b00648367cc76d126d06a9157dbe4d28a91222f5f
CoinMiner
c3b236af617c181af2fd23ffedbd6a62bf33b8978e17bc2f731686e938eb60d6
CoinMiner
error
CoinMiner
+ 1'294 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250814-lxhqqasvdv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Drops startup file
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/960d9a7c-17b9-49ff-be3e-95a5218c730e
Unpacked files
SH256 hash:
21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1
MD5 hash:
789a316022371eed5ae2b39525b84cc6
SHA1 hash:
5536594474e478eaecb69010f4651b66ff372537
Link:
https://www.unpac.me/results/450c9d39-347e-4dd4-b8fd-96f8a49987d9/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/450c9d39-347e-4dd4-b8fd-96f8a49987d9/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/450c9d39-347e-4dd4-b8fd-96f8a49987d9/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/21a959472673/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/21a959472673f6a21bf84f59d0d724280ce7bc3e5c39165efd796c7e429fe2a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21308/

Comments