MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 4 File information Comments

SHA256 hash:	395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66
SHA3-384 hash:	d4bcaac891fcf95cd4324e1b6cd4605a714bca559f0de013b127cf619f17f49d7184807ad330760fa8d0167d220ac1e7
SHA1 hash:	b5b9f0a524715a17315ebdc809041d283150b75d
MD5 hash:	26648398791732988692d0b432284006
humanhash:	gee-cold-fillet-alaska
File name:	setup_patched.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	2'534'400 bytes
First seen:	2025-09-17 18:41:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	15ad7db86b6051e69aa3c16e5539c4a5 (1 x LummaStealer, 1 x Rhadamanthys)
ssdeep	24576:24YP/trYCtEewSD44u3xTKpQKO1MbutCaHDLTAunKiCuL4K2PZn0d1FZO8tYWUiM:GtrYgEeuSO1MbutHbAunHyK2o1+X1
TLSH	T1B7C58CE37202C372D98E8CB14D4CD6B5556D9C247B7E01D7A3D8BB1B6A740C2363AA4B
TrID	40.3% (.EXE) Win64 Executable (generic) (10522/11/4) 19.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 17.2% (.EXE) Win32 Executable (generic) (4504/4/1) 7.7% (.EXE) OS/2 Executable (generic) (2029/13) 7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	aachum
Tags:	45-153-34-241 de-pumped exe Rhadamanthys

iamaachum

https://cdxtsd.cfd/?file=PJ8Vor0zvxnG9ShWZsMDi3HcmAOfwIbR&lOknHDVmWj3zM=8wXnev4UifSt9JpBgYLEsr3QyaRICA72hGx5z0ZkbVcHMqj => https://mega.nz/file/XIFyjIZZ#CPPDzUO_m_LpSqDk7oow1lxeS0UCVpRJ69-lylkUWYU

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

setup_patched.exe

Verdict:

Malicious activity

Analysis date:

2025-09-17 18:52:01 UTC

Tags:

anti-evasion lumma rhadamanthys stealer

Link:

https://app.any.run/tasks/ce1022aa-c6d7-4a97-a1f5-5b260b70651a

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/27994/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68cb00f988b9544392476150

Tags:

spawn

Result

Verdict:

Clean

Maliciousness:

Behaviour

Adding an access-denied ACE

Creating a window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Sending a custom TCP request

Connection attempt

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context anti-debug fingerprint microsoft_visual_cc obfuscated packed packed packer_detected

Link:

https://www.filescan.io/uploads/68cb00fb73287948292db9cd/reports/4fbd4f9c-5cf7-4d41-898e-2a553ac7de7a/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66

Verdict:

Unknown

File Type:

exe x32

Link:

https://opentip.kaspersky.com/395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/08b41ae3-066f-42ed-8db6-8591ad4dad89

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/1779528

Signature

C2 URLs / IPs found in malware configuration

Found malware configuration

Hides threads from debuggers

Multi AV Scanner detection for submitted file

Switches to a custom stack to bypass stack traces

Uses Windows timers to delay execution

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

95%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/26648398791732988692d0b432284006

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66/

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2025-09-17 18:42:43 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

17 of 38 (44.74%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=hfnepcmtfcz7p4temwvelhm7g6wzt54hwuy2gj4teofusdlapjta._file

Verdict:

malicious

Label(s):

unc_loader_053

Similar samples:

error

Rhadamanthys

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250917-xb62zavsat/

Behaviour

Suspicious behavior: EnumeratesProcesses

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/35f7668d-4355-45e7-b447-bffa6a166939

Unpacked files

SH256 hash:

395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66

MD5 hash:

26648398791732988692d0b432284006

SHA1 hash:

b5b9f0a524715a17315ebdc809041d283150b75d

Link:

https://www.unpac.me/results/d36b5501-c864-4671-85b4-39db856ba195/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/395a47899328/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

zip ff9174d298c23b46a6ff83518c37ee658fc5c65b8e4581685418f210e21c7e09

Rhadamanthys

exe 395a47899328b3f7f26465aa459d9f37ad99f787b531a32793238b490d607a66

(this sample)

Link

https://tria.ge/250917-wqklvaaq21/behavioral2

Dropped by

SHA256 ff9174d298c23b46a6ff83518c37ee658fc5c65b8e4581685418f210e21c7e09

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/27994/

Dropped by

MD5 462447a5a96c5abab5b27fbd8a90097f

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample