MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6
SHA3-384 hash: a622863c291e85688c612072be2c5d88b796b8adf8d97b06231d75ca10f40fdd55e7b677c48b9cfb8981525308dee3e0
SHA1 hash: 46d43b83780fe6d936f863ba6b31b8b1c5932eaa
MD5 hash: d0a5867e1a9aebdcb07f6b2317da1b0b
humanhash: victor-mockingbird-chicken-lima
File name:d0a5867e1a9aebdcb07f6b2317da1b0b.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:477'696 bytes
First seen:2025-05-24 15:36:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 930f92585b082a0348eb838417b0a355 (4 x Rhadamanthys)
ssdeep 12288:Nq7LENhlFv/thmNaULLr0BS36g0dxtR+8mMD+e:Ng8lFvlhOzXrwS36g0d3rmM
Threatray 94 similar samples on MalwareBazaar
TLSH T148A49C0E55B80C37C1AD9AFB09B55380411BB4E09082483FE7D9DDABEA1E6935BE075F
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 30f0c8e0c6c4ccf0 (10 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
470
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.1.exe
Verdict:
Malicious activity
Analysis date:
2025-05-24 00:19:57 UTC
Tags:
loader amadey auto-sch botnet stealer lumma auto-reg rdp auto gcleaner telegram generic python arch-doc uac
Link:
https://app.any.run/tasks/979c663e-bd98-4c54-b8df-8d7856528ad4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.16723.28526.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6831e96644c3881e854cd78b
Tags:
virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Creating a window
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc
Link:
https://www.filescan.io/uploads/6831e7b7171e01f9592c4666/reports/535b5882-04a1-4a5f-8202-9a8178ea03c3/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b5b847d6-32ba-460f-ad60-af46a25c44e3
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1698490
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Potentially Suspicious Malware Callback Communication
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1698490 Sample: 8fVtSAaWtr.exe Startdate: 24/05/2025 Architecture: WINDOWS Score: 100 49 x.ns.gin.ntt.net 2->49 51 ts1.aco.net 2->51 53 6 other IPs or domains 2->53 79 Multi AV Scanner detection for submitted file 2->79 81 .NET source code contains potential unpacker 2->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 2->83 85 2 other signatures 2->85 9 8fVtSAaWtr.exe 2->9         started        13 msedge.exe 97 360 2->13         started        15 elevation_service.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 67 45.153.34.143, 4433, 49694, 49729 SKYLINKNL Germany 9->67 95 Switches to a custom stack to bypass stack traces 9->95 97 Found direct / indirect Syscall (likely to bypass EDR) 9->97 19 OpenWith.exe 6 9->19         started        69 192.168.2.5, 123, 138, 443 unknown unknown 13->69 71 239.255.255.250 unknown Reserved 13->71 23 msedge.exe 13->23         started        25 msedge.exe 13->25         started        27 msedge.exe 13->27         started        29 msedge.exe 13->29         started        signatures6 process7 dnsIp8 55 time-a-g.nist.gov 129.6.15.28, 123, 64778 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 19->55 57 x.ns.gin.ntt.net 129.250.35.250, 123, 64778 NTT-COMMUNICATIONS-2914US United States 19->57 63 5 other IPs or domains 19->63 87 Early bird code injection technique detected 19->87 89 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->89 91 Tries to steal Mail credentials (via file / registry access) 19->91 93 7 other signatures 19->93 31 wmlaunch.exe 19->31         started        34 chrome.exe 1 19->34         started        36 msedge.exe 14 19->36         started        38 2 other processes 19->38 59 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49718, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->59 61 ax-0002.ax-msedge.net 150.171.27.11, 443, 49711, 49717 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->61 65 7 other IPs or domains 23->65 signatures9 process10 signatures11 99 Writes to foreign memory regions 31->99 101 Allocates memory in foreign processes 31->101 40 dllhost.exe 31->40         started        103 Found many strings related to Crypto-Wallets (likely being stolen) 34->103 42 chrome.exe 34->42         started        45 chrome.exe 34->45         started        47 msedge.exe 36->47         started        process12 dnsIp13 73 googlehosted.l.googleusercontent.com 142.250.101.132, 443, 49706, 49715 GOOGLEUS United States 42->73 75 127.0.0.1 unknown unknown 42->75 77 clients2.googleusercontent.com 42->77
Score:
62%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6/
Threat name:
Win32.Trojan.Amadey
Create hunting rule
Status:
Malicious
First seen:
2025-05-23 21:36:32 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gu4rktu3jqewioythcz6bpu76jnpw5neuh74ptzpausrtteg4pda._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
19046933e161b5826c63e8c2c5d13da9329bb5cc9c75aa35ead1458b27e5634c
Rhadamanthys
29f0356686962f1d53d0a110164e2d236fe69e339a3569d5a7de325c1a9ee3ae
Rhadamanthys
34c1fa75e41c74e2cc1887fce11add7e9bee9147bc9767ffe71b6806a4cee9c3
Rhadamanthys
3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6
Rhadamanthys
642aeebc65589ee43e09e3d4066e9519151031c43a7daa8dd6f4823fc804d27c
Rhadamanthys
695c1e932845d3dcd8b62efb8486ab44b7ff4d8336238ad08d4929e647c5f5e7
Rhadamanthys
8075b591e0b865d92c70ea86a8257fd1dac5d55e5de23b0a42ee96665e8f4f9f
Rhadamanthys
afeec998101aab2324b287fa615009ba6fb819999c07e41cc8bdbbe0339b2a76
Rhadamanthys
e4b72ede86422c14033614daff35a37789e14193ec31a07284d27a64bcb56269
Rhadamanthys
error
Rhadamanthys
f4d532afb6a34107dde801319d45be7f70a488ccf38590306f8af400f427a48d
Rhadamanthys
+ 84 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
discovery
Link:
https://tria.ge/reports/250524-s2ryhsfr8y/
Behaviour
System Location Discovery: System Language Discovery
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4f3e7ebb-4b5e-4e6e-801f-237f1b9c55b1
Unpacked files
SH256 hash:
3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6
MD5 hash:
d0a5867e1a9aebdcb07f6b2317da1b0b
SHA1 hash:
46d43b83780fe6d936f863ba6b31b8b1c5932eaa
Link:
https://www.unpac.me/results/372bc967-f403-44eb-a7f4-b730f66dab11/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/3539154e9b4c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3539154e9b4c09643b1338b3e0be9ff25afb75a4a1ffc7cf2f052519cc86e3c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExW

Comments