MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910
SHA3-384 hash: cc10cb5e65cc4fe0163c6d77f1956625f5cc74aa39ddda56a0f831b66ea9c61f158b6f3fd5c88986a2ae5ca0743451d0
SHA1 hash: f5761df25aec830b71b8ebffe4482124b4cd96b4
MD5 hash: 52b676eb49f2b85bec78bd779a9d27fd
humanhash: texas-jig-neptune-fish
File name:En_x86-Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:94'371'867 bytes
First seen:2025-08-22 16:14:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c32ba42c73a2bc24d2788f7750d87edb (45 x LummaStealer, 37 x Rhadamanthys, 3 x Vidar)
ssdeep 49152:34s2mkKXINCuiLWeYrdJoDSfVZhvH6qLRjLatG:3KmD5LWe8bnfFvH6qJZ
Threatray 334 similar samples on MalwareBazaar
TLSH T1962812960312F4E6D947966E4026FD13E1B30020F36E79C5C7CDA2F1CB961B62A257EE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0001070c5cf50000 (1 x Rhadamanthys)
Reporter aachum
Tags:217-156-122-93 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://kto4r290425y08.cfd/mnllcontent-f5f54eaf444c0c33702ad282d0329393/dlc_68a88abf3be60/?s=294&pg=0&q=Download => https://mega.nz/file/NcJyQQ4J#6tFLzsYk9OqngePtFoNzbdWhmC8ExP11pDq8iPycRtI

Intelligence

File Origin
# of uploads :
1
# of downloads :
152
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
En_x86-Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 16:35:31 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/cb87b232-7560-4921-bb57-6cb4190c9f0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a897a5e9d9dbcfd96d1e48
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay redcap
Link:
https://www.filescan.io/uploads/68a897da4a87ed7967686cdf/reports/4a370913-4bf0-499e-b666-901c7b9f0498/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-22T14:04:00Z UTC
Last seen:
2025-08-22T14:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1763115
Signature
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1763115 Sample: En_x86-Setup.exe Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 34 sSkgCMMMsOLUdwby.sSkgCMMMsOLUdwby 2->34 38 Found malware configuration 2->38 40 Multi AV Scanner detection for submitted file 2->40 42 Yara detected RHADAMANTHYS Stealer 2->42 44 2 other signatures 2->44 9 En_x86-Setup.exe 27 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 54 Detected CypherIt Packer 12->54 56 Drops PE files with a suspicious file extension 12->56 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...\Juvenile.pif, PE32 15->32 dropped 20 Juvenile.pif 15->20         started        24 extrac32.exe 15 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 36 217.156.122.93, 443, 49724, 49725 RCS-RDS73-75DrStaicoviciRO Romania 20->36 46 Query firmware table information (likely to detect VMs) 20->46 48 Checks if the current machine is a virtual machine (disk enumeration) 20->48 50 Switches to a custom stack to bypass stack traces 20->50 52 2 other signatures 20->52 signatures12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910
Gathering data
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2025-08-22 16:21:07 UTC
File Type:
PE (Exe)
Extracted files:
20
AV detection:
10 of 24 (41.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eui5urbv3uhzbpmd4b52u7a4auuyycm7s6dczfsfus6ofccyheia._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
09d298dd2101780e9be313aba04301f5afcb854da5b741077ca69f7412446dd5
Rhadamanthys
1a5a21f32d74c03bb49bd1cc11c71687cce32c95ea3a4d164913568730e07ae5
Rhadamanthys
226a1ff2b5c820419ece3b76bf6a6c96e1ce4e6138b5688971660d1d3f3d5df5
Rhadamanthys
2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910
Rhadamanthys
760386ddadc8917c4b822e19f986bb173d267917874a66ff7da11ff2059f9c7b
Rhadamanthys
9578bb12bb4e8e02682d5debdaca71c7b8d74d1ffdaf5f00bc8e701b5b773dc7
Rhadamanthys
9f60eb7c93c8eecf6c3ef8a3e63a19aa567828c386589ee2d002a485f94a786c
Rhadamanthys
error
Rhadamanthys
f300878883a85fd1ad352a40ecb9b015fdd4f423603a90c1509df8a39464bdd3
Rhadamanthys
+ 324 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250822-tqqrrawrv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Deletes itself
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2511da4435dd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 2511da4435dd0f90bd83e07baa7c1c05298c099f97862c9645a4bce288583910

(this sample)

  
Link
https://tria.ge/250822-s7aw7awnz9/behavioral3
  
Delivery method
Distributed via web download

Comments