MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3
SHA3-384 hash: ac11c5d01938cb18a5993c74f570feb62662f8a297719edb9b75ff5de98b5c908bb580795403b4cc9b63f0c9f3c5d743
SHA1 hash: 566285115eaebdcd9a13ab4ec940c56cc67b1ad9
MD5 hash: 31bd558cfe99f34037f2c03260b7eafc
humanhash: berlin-winter-bacon-spring
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'634'001 bytes
First seen:2025-05-23 15:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bf95d1fc1d10de18b32654b123ad5e1f (327 x LummaStealer, 65 x Rhadamanthys, 25 x Vidar)
ssdeep 24576:L0a2qHUUXgnFAHEm/URQ9iUiUG3zDwpFXPjgctlMKFpN7ssOeBgBO4A2ilfv4xKB:LnXgFLRRQSUXLgylMKlQsLBgBZARt2W
Threatray 193 similar samples on MalwareBazaar
TLSH T1BA282BD2B71E3936600DA16FBD46FBEB216F9D8DE200B3F00796620D15E985705B6B23
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 0000125166720800 (2 x Rhadamanthys)
Reporter aachum
Tags:195-10-205-78 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://mega.mywikifiles.org/ => https://mega.nz/file/0QwE1KyC#R81vz-rhpxmJI5tH-vKxC0di4dJNWNLOtR6xWWB68xA

Intelligence

File Origin
# of uploads :
1
# of downloads :
693
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-05-23 16:57:11 UTC
Tags:
autoit autoit-loader stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/a7732ea3-59d3-4f34-a8bc-b665aade25c6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=683096364912a6b9dd4c76bf
Tags:
infosteal shell spawn sage
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Creating a window
Creating a file in the %temp% directory
Сreating synchronization primitives
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a file
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
blackhole expired-cert installer invalid-signature microsoft_visual_cc overlay overlay signed
Link:
https://www.filescan.io/uploads/683094ecfd02ed5e0584d874/reports/2350791b-c4ae-401d-8716-7f7ee45823bc/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad.spyw
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1698005
Signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses threadpools to delay analysis
Behaviour
Behavior Graph:
Download SVG
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-23 15:32:31 UTC
File Type:
PE (Exe)
Extracted files:
22
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gta7u5pedr2oftayq76ocgw5p2n65ekhxslwp77hdnuanjgo5hbq._file
Verdict:
suspicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
284ccf8fa7c86c6e59fb379c82c757a01b170b210f6751e4955c4e20a5f5d7df
Rhadamanthys
2fb96fa088b089d0d538056ac1318fb6ca4b8d80ab03425a69d86342ed767c36
Rhadamanthys
509db618a8673332107f51db4854b7010cb693cc317d93340f356a345c7489c4
Rhadamanthys
59fceee2146f2f1b85c5b9f902ffb5600c367fbbee1d5fdc29ac33cf1f3cdb98
Rhadamanthys
63c1511bdd68d12623147ed555454d75c15e437e5897417d7c2974eac2887777
Rhadamanthys
7f6714fc106cd8ad6827095c66ff508fb7d42c6735b98a9a00ad21baba6f68a1
Rhadamanthys
9026f82e4dfd6d712a5f0e999f223661c8cbae082938aa1df0fca886466f72d8
Rhadamanthys
9d153a59f7a0c6d457f71d0643fef5e3c60984c2da3564e9236fe6df834f1b60
Rhadamanthys
b58ea28950ba3c0b5b67cf3b62a60c4ba8a2ada384540ccd0d90c5d9a77ec230
Rhadamanthys
error
Rhadamanthys
+ 183 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250523-syvj8sxmx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Checks computer location settings
Deletes itself
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9a11a4c3-106f-4ca1-83ec-52c086bf2b74
Malware family:
CypherIt
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/34c1fa75e41c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.84
Link:
https://yomi.yoroi.company/submissions/34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3

(this sample)

  
Link
https://tria.ge/250523-sgnqcsxls8/behavioral2
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments