MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e
SHA3-384 hash: 182491716a914c857a7ee52c781ca421a2af87cee56fbf62ebd8792e6c13e31dcc6026a9bd4dc0b1084f7dd2d90169d5
SHA1 hash: 947c6639d1685012ecd56e14d16a30c3e5ae43cf
MD5 hash: b8d508cb0734071c230f5f33ecd8cc9e
humanhash: kitten-orange-apart-sixteen
File name:mal1.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:7'303'944 bytes
First seen:2025-06-05 21:08:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b1d5ed9bb93a9d18555997c53aaea96 (1 x Rhadamanthys)
ssdeep 98304:uMPOpzjawzx5ikvuhqRyHl094LOlGhSR7gowhG1tFK4AM:rmpvaK5/uEo0iOQunwYAM
Threatray 16 similar samples on MalwareBazaar
TLSH T1E576E02079938B76F9C21DB913DFB2BC019D9D02F7E039DB5024B1E69236AD62933167
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 334dcccc31e04d23 (1 x Rhadamanthys)
Reporter GDHJDSYDH1
Tags:Donut donutloader exe infostealer lumma Rhadamanthys stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
455
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mal1.exe
Verdict:
Malicious activity
Analysis date:
2025-06-05 21:04:52 UTC
Tags:
purecrypter netreactor cve-2017-0199 exploit loader emmenhtal autoit delphi stealer websocket rhadamanthys shellcode
Link:
https://app.any.run/tasks/b2dc83f7-58a1-49ee-8631-0bc46c5e1b1c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7580/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=684208188bd5d68a12e5bebc
Tags:
emotet spawn virus shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
DNS request
Connection attempt
Сreating synchronization primitives
Sending a custom TCP request
Sending an HTTP GET request
Using the Windows Management Instrumentation requests
Creating a process with a hidden window
Downloading the file
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm anti-vm anti-vm base64 crypto fingerprint fingerprint installer invalid-signature lolbin microsoft_visual_cc overlay overlay packed packed packer_detected rat remote signed
Link:
https://www.filescan.io/uploads/6842077ee336a33801e419b8/reports/c9ac2436-90c6-4e59-9851-80cc75da5cb3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/44a817b8-11c5-47a0-93bf-2efa7a90244d
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1707662
Signature
.NET source code contains potential unpacker
Creates HTA files
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Search for Antivirus process
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1707662 Sample: mal1.exe Startdate: 05/06/2025 Architecture: WINDOWS Score: 100 95 tMKaYHGMKLFuVo.tMKaYHGMKLFuVo 2->95 97 shopliokre.com 2->97 99 18 other IPs or domains 2->99 125 Suricata IDS alerts for network traffic 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 8 other signatures 2->131 14 mal1.exe 2 2->14         started        17 mshta.exe 18 2->17         started        19 mshta.exe 13 2->19         started        21 4 other processes 2->21 signatures3 process4 signatures5 147 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->147 149 Writes to foreign memory regions 14->149 151 Injects a PE file into a foreign processes 14->151 23 cvtres.exe 14->23         started        153 Suspicious powershell command line found 17->153 155 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 17->155 25 powershell.exe 17->25         started        process6 process7 27 mshta.exe 17 23->27         started        31 conhost.exe 25->31         started        dnsIp8 101 elprogresofood.com 179.61.12.113, 443, 49699, 49700 TECNOWEBPERUSACPE Chile 27->101 103 shopliokre.com 104.21.49.77, 443, 49694, 49695 CLOUDFLARENETUS United States 27->103 141 Suspicious powershell command line found 27->141 143 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 27->143 33 LoopsOlympus.exe 27->33         started        36 powershell.exe 15 16 27->36         started        39 PbRestore.exe 27->39         started        41 2 other processes 27->41 signatures9 process10 file11 107 Multi AV Scanner detection for dropped file 33->107 43 cmd.exe 33->43         started        79 C:\...\FA7704F69F155843594EC897592146B7.hta, HTML 36->79 dropped 109 Creates HTA files 36->109 111 Powershell drops PE file 36->111 47 conhost.exe 36->47         started        113 Hides threads from debuggers 39->113 115 Found direct / indirect Syscall (likely to bypass EDR) 39->115 49 WerFault.exe 39->49         started        81 C:\Users\user\Music\PbRestore.exe, PE32+ 41->81 dropped 83 C:\Users\user\Music\LoopsOlympus.exe, PE32 41->83 dropped 51 conhost.exe 41->51         started        53 conhost.exe 41->53         started        signatures12 process13 file14 85 C:\Users\user\AppData\...\Compliance.com, PE32+ 43->85 dropped 145 Drops PE files with a suspicious file extension 43->145 55 Compliance.com 43->55         started        58 conhost.exe 43->58         started        60 tasklist.exe 43->60         started        62 6 other processes 43->62 signatures15 process16 signatures17 133 Hijacks the control flow in another process 55->133 135 Modifies the context of a thread in another process (thread injection) 55->135 137 Injects a PE file into a foreign processes 55->137 139 Found direct / indirect Syscall (likely to bypass EDR) 55->139 64 Compliance.com 55->64         started        68 OpenWith.exe 55->68         started        process18 dnsIp19 87 time-a-g.nist.gov 129.6.15.28, 123, 51488 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 64->87 89 45.153.34.83, 1818, 49708 SKYLINKNL Germany 64->89 93 7 other IPs or domains 64->93 117 Early bird code injection technique detected 64->117 119 Tries to harvest and steal browser information (history, passwords, etc) 64->119 121 Maps a DLL or memory area into another process 64->121 123 2 other signatures 64->123 70 chrome.exe 64->70         started        72 chrome.exe 64->72         started        91 45.153.34.237, 443, 49707 SKYLINKNL Germany 68->91 74 WerFault.exe 68->74         started        signatures20 process21 process22 76 chrome.exe 70->76         started        dnsIp23 105 127.0.0.1 unknown unknown 76->105
Score:
32%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e/
Threat name:
Win32.Spyware.AsyncRAT
Create hunting rule
Status:
Malicious
First seen:
2025-06-04 21:41:23 UTC
File Type:
PE (Exe)
Extracted files:
27
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fxfl3xni32kro327rvrj3qecuxci6pzd432jtwq4xkqqhcbianxa._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
Similar samples:
2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e
Rhadamanthys
5048f7f5ab3ba3e3d880e00a73e5294ba056baa21c2f4f73dbe5dddbea7f9a54
Rhadamanthys
5f24c7c3c58d6e443fcc10bb1ace7bae4a922a1029fb902feb1d6b0a65d686d9
Rhadamanthys
76ac4f89211b5e949c1c2fcd29eabb6ac791f1a758279341949e615c7ae25424
Rhadamanthys
85100453bb292ca323b9737e73b7ae238d2773dbe547646fec35b6deb9888a3e
Rhadamanthys
ad044817d9a6c1b798001fbf0f769c0ac1d8486afb9dede03543b934be6df3c6
Rhadamanthys
e210bc2b45485f977738894a7ae88b17d8eeacb381eb3055932f09e866a8e766
Rhadamanthys
error
Rhadamanthys
+ 6 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader discovery execution loader
Link:
https://tria.ge/reports/250605-zzjbxshj8z/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Checks computer location settings
Blocklisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Malware Config
Dropper Extraction:
https://shopliokre.com/api/getFile?fn=New.hta
https://shopliokre.com/api/getFile/New.hta/jX5xu7Bfc.mp3
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4cd74ea3-93eb-4e54-8ea7-974f69876bc9
Unpacked files
SH256 hash:
2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e
MD5 hash:
b8d508cb0734071c230f5f33ecd8cc9e
SHA1 hash:
947c6639d1685012ecd56e14d16a30c3e5ae43cf
Link:
https://www.unpac.me/results/4025766d-0669-48fa-8dbd-dc11343300be/
SH256 hash:
a660bfc147ba2cee6b294a34a1419d3b708d0804c0394faa401812a9b7e79e97
MD5 hash:
2339378421c6b44b9eb76d13b118c6ab
SHA1 hash:
5f7a5c1fe16ab6e3f3a73a9f7d74669deb403643
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4025766d-0669-48fa-8dbd-dc11343300be/
SH256 hash:
159cd575b4e7a0116ff7aa4ae43d03ae61443bba1e5e6852d7d5d7f407ea2634
MD5 hash:
bb996ea3d673a0ae90c52f362b3e653a
SHA1 hash:
7d16d4e8b88c48f628e3dfb3cb826b8bcd2181f6
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/4025766d-0669-48fa-8dbd-dc11343300be/
Malware family:
DonutLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2dcabddda8de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 2dcabddda8de95176f5f8d629dc082a5c48f3f23e6f499da1cbaa1038828036e

(this sample)

  
Link
https://tria.ge/250605-zwsq7agr8t
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7580/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::ImpersonateNamedPipeClient
ADVAPI32.dll::RevertToSelf
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::SetProcessShutdownParameters
KERNEL32.dll::VirtualAllocEx
KERNEL32.dll::WriteProcessMemory
WINHTTP.dll::WinHttpCloseHandle
KERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDriveTypeW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::GetFileAttributesW
VERSION.dll::GetFileVersionInfoSizeW
VERSION.dll::GetFileVersionInfoW
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpAddRequestHeaders
WINHTTP.dll::WinHttpConnect
WINHTTP.dll::WinHttpCrackUrl
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpOpenRequest
WINHTTP.dll::WinHttpQueryHeaders
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments