MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 16

Intelligence 16 IOCs YARA 1 File information Comments

SHA256 hash:	390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb
SHA3-384 hash:	b4492a36cfc3f2aa4bb24ad6d031b22785db45771b53c94b85ce64d2d6ca1fc2e3c8c5aaca07632aae8951b4a9fd2527
SHA1 hash:	0ab104ac65c3f304f2046ae7b5e2856323adc04b
MD5 hash:	47f3879f0e94a7165dae21e0438eac5f
humanhash:	oklahoma-venus-artist-west
File name:	SoftWare.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	672'256 bytes
First seen:	2025-11-05 11:40:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	af83b26e354bd634b6a8028b65c0a61f (2 x Rhadamanthys, 1 x MaskGramStealer)
ssdeep	12288:T3I+xrVv8a4CqCHJ9Iu5C7kJ8ctS8QUiYemAxkoi2i3c5vCgj7F+KSJW1QVHNDei:0+9J83r2eOC7kJ8ctS/zi3c5vPjoa1ct
Threatray	1'779 similar samples on MalwareBazaar
TLSH	T1FFE423FDC546DA88E41ECBF2B504F5EF96EC903E03D04E47F19D8F6A2A294272934856
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	burger
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

121

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

SoftWare.exe

Verdict:

Malicious activity

Analysis date:

2025-11-05 11:39:09 UTC

Tags:

rhadamanthys stealer anti-evasion

Link:

https://app.any.run/tasks/28d66a28-2bb4-4e79-876e-755cc5446089

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35475/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690b378fea0f3e915c231581

Tags:

emotet spawn virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Connection attempt

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

anti-debug hacktool masm packed

Link:

https://www.filescan.io/uploads/690b37c08c2ca1f1afb11bce/reports/47b4b08b-70ef-41af-96e8-873ca1460f24/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-05T08:49:00Z UTC

Last seen:

2025-11-05T11:29:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.DonutInjector.sb Trojan.Win64.Donut.sb Trojan.Win32.Shellcode.sb MEM:Trojan.Win64.Shellcode.a Trojan.Win64.Donut.zky MEM:Trojan.Win64.Shellcode.gen MEM:Trojan.Win64.Cometer.gen HEUR:Trojan.Win64.Donut.a HEUR:Trojan.Multi.Donut.b

Link:

https://opentip.kaspersky.com/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/9c16e63d-ad04-4808-99d8-01c3456d3de1

Result

Threat name:

DonutLoader, RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1808500

Signature

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Creates a thread in another existing process (thread injection)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Query firmware table information (likely to detect VMs)

Writes to foreign memory regions

Yara detected DonutLoader

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/47f3879f0e94a7165dae21e0438eac5f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2025-11-05 11:40:03 UTC

File Type:

PE+ (Exe)

AV detection:

18 of 23 (78.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hecucitlkt2tmwz6t4gmcfomauf6lutj3cwvs47pjcdrgagaxk5q._file

Verdict:

malicious

Label(s):

smokeloader

rhadamanthys

donutloader

Rhadamanthys

1bbc5fc74a79d5501df92af9d80a15542c9c9bd82f92f72b570622a89221070e

Rhadamanthys

38b3e72b281ef95654f393e99e4055f16e7e9f00024b0a5775b3c21a9420f9a3

Rhadamanthys

443e8b655b9243e40972074381ecd530f2055b6dc045551fafc333e5e9b3053e

Rhadamanthys

5454c752972ea61fa619b6b687597e86f54ed685b92f1e5beadf65791adbe130

Rhadamanthys

64778aa8864822b78ca0d0aa70258ae236f8ad0f43957a78d36f28f41e217205

Rhadamanthys

968adf76dcc8eea2eeaac8012f34e0c37e45e8a9efce6520d76881213c7b9b3d

Rhadamanthys

9a8057b07ef25912763b238cafed2941ac266e8b4edba123b77ab2785104d4fd

Rhadamanthys

a02ae43d5c1e4003a2400d0a9f91fe4bdad517685a5feadb675a81d4fc2df619

Rhadamanthys

error

Rhadamanthys

f4af98e2c55729364d527a69fd9befdb908210dc31a30405f8b864a9182e9f24

Rhadamanthys

+ 1'769 additional samples on MalwareBazaar

Result

Malware family:

donutloader

Score:

10/10

Tags:

family:donutloader loader

Link:

https://tria.ge/reports/251105-ns9dzsbq9x/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Detects DonutLoader

DonutLoader

Donutloader family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0a79c401-7fd2-4270-b2bf-0a57be2553c7

Unpacked files

SH256 hash:

390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb

MD5 hash:

47f3879f0e94a7165dae21e0438eac5f

SHA1 hash:

0ab104ac65c3f304f2046ae7b5e2856323adc04b

Link:

https://www.unpac.me/results/f23d783e-9cc0-4de3-acb5-b35c64fadbff/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/390541226b54/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/390541226b54f5365b3e9f0cc115cc050be5d269d8ad5973ef48871300c0babb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35475/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample