MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13
SHA3-384 hash: 152e55160012f1434027452e5f3c78fb1fb26702e0ecbd5b56312edd05844307a4d32e4272e25487fef562b21c1f8e7c
SHA1 hash: 380e759667e16a38529b1dedc6ebaffbc3b0eb6a
MD5 hash: ac2c38b07d4be2f6a3bc01c266098b89
humanhash: tennis-video-wisconsin-item
File name:Lumen.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'078'600 bytes
First seen:2025-07-21 18:28:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d746b91e1e57b358f148ed3374f0079 (41 x Rhadamanthys)
ssdeep 196608:PUeBFkbDD0u8xZ444JujbbJg888jruxTnn6srJ3wmBO5FoIYbs:PbBubDQkkBg4re2mbU5R
TLSH T1BFA6338729DE80F5E9C02574860B6ADF33F597A24C508C18AFC56DCAED12F7670369B2
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
24
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Lumen.exe
Verdict:
Malicious activity
Analysis date:
2025-07-21 18:28:06 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/3300830d-9288-4c6c-9262-9625d6e5023b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16156/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=687e86b32f623871a5f16789
Tags:
injection virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6c6629e0-e4f5-48e9-bf3d-bdc22bb3df76
Result
Threat name:
Coinhive, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1741531
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Downloads suspicious files via Chrome
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Coinhive miner
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1741531 Sample: Lumen.exe Startdate: 21/07/2025 Architecture: WINDOWS Score: 100 114 twc.trafficmanager.net 2->114 116 ts1.aco.net 2->116 118 9 other IPs or domains 2->118 164 Suricata IDS alerts for network traffic 2->164 166 Antivirus / Scanner detection for submitted sample 2->166 168 Multi AV Scanner detection for submitted file 2->168 170 10 other signatures 2->170 12 Lumen.exe 2->12         started        15 msedge.exe 2->15         started        19 svchost.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 dnsIp5 188 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->188 190 Switches to a custom stack to bypass stack traces 12->190 23 OpenWith.exe 12->23         started        146 192.168.2.9, 4233, 443, 49672 unknown unknown 15->146 148 239.255.255.250 unknown Reserved 15->148 100 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 15->100 dropped 102 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 15->102 dropped 104 C:\Users\user\AppData\Local\Temp\...\Part-RU, DOS 15->104 dropped 27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        192 Changes security center settings (notifications, updates, antivirus, firewall) 19->192 35 MpCmdRun.exe 19->35         started        150 127.0.0.1 unknown unknown 21->150 37 conhost.exe 21->37         started        39 schtasks.exe 21->39         started        file6 signatures7 process8 dnsIp9 128 185.232.204.203, 49698, 8181 SOLTIAES Spain 23->128 130 cloudflare-dns.com 104.16.249.249, 443, 49697 CLOUDFLARENETUS United States 23->130 132 vault-360-nexus.com 23->132 172 Query firmware table information (likely to detect VMs) 23->172 174 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 23->174 176 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 23->176 178 4 other signatures 23->178 41 OpenWith.exe 8 23->41         started        134 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49715, 49720 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->134 136 ax-0002.ax-msedge.net 150.171.27.11, 443, 49717, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->136 138 8 other IPs or domains 27->138 46 conhost.exe 35->46         started        signatures10 process11 dnsIp12 140 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 41->140 142 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 41->142 144 7 other IPs or domains 41->144 110 C:\Users\user\AppData\Local\...\Q82h.exe, PE32+ 41->110 dropped 112 C:\Users\user\AppData\Local\...\HWBnv.exe, PE32 41->112 dropped 180 Early bird code injection technique detected 41->180 182 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->182 184 Tries to steal Mail credentials (via file / registry access) 41->184 186 7 other signatures 41->186 48 Q82h.exe 41->48         started        52 wmlaunch.exe 41->52         started        54 HWBnv.exe 41->54         started        58 3 other processes 41->58 56 Conhost.exe 46->56         started        file13 signatures14 process15 file16 106 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 48->106 dropped 152 Query firmware table information (likely to detect VMs) 48->152 154 Modifies windows update settings 48->154 156 Adds a directory exclusion to Windows Defender 48->156 162 2 other signatures 48->162 60 powershell.exe 48->60         started        63 cmd.exe 48->63         started        65 sc.exe 48->65         started        76 2 other processes 48->76 158 Writes to foreign memory regions 52->158 160 Allocates memory in foreign processes 52->160 67 dllhost.exe 52->67         started        108 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 54->108 dropped 70 cmd.exe 54->70         started        72 cmd.exe 54->72         started        74 chrome.exe 58->74         started        78 2 other processes 58->78 signatures17 process18 dnsIp19 194 Loading BitLocker PowerShell Module 60->194 94 2 other processes 60->94 80 net.exe 63->80         started        82 conhost.exe 63->82         started        84 conhost.exe 65->84         started        120 213.209.150.143, 4233, 49731 KEMINETAL Germany 67->120 196 Uses schtasks.exe or at.exe to add and modify task schedules 70->196 86 conhost.exe 70->86         started        88 schtasks.exe 70->88         started        90 conhost.exe 72->90         started        92 timeout.exe 72->92         started        122 142.250.65.193, 443, 49710 GOOGLEUS United States 74->122 124 googlehosted.l.googleusercontent.com 74->124 126 clients2.googleusercontent.com 74->126 96 2 other processes 76->96 signatures20 process21 process22 98 net1.exe 80->98         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/ac2c38b07d4be2f6a3bc01c266098b89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13/
Verdict:
Malicious
Threat:
Trojan.Win32.Rhadamanthys
Link:
https://tip.neiki.dev/file/369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-19 20:27:12 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2ksimymg67o2xeun7l5otucqvs4ip777o52k7aaeuzqry6ylyjq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250721-w4jayaam7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8b7842ab-44ea-48b4-9c1c-4009a537547a
Unpacked files
SH256 hash:
369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13
MD5 hash:
ac2c38b07d4be2f6a3bc01c266098b89
SHA1 hash:
380e759667e16a38529b1dedc6ebaffbc3b0eb6a
Link:
https://www.unpac.me/results/36453771-a13c-47a6-be51-3793c81d6540/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16156/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments