MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9
SHA3-384 hash: b7faf5cacf622b0e21b946b5c1a3768c895805c185552660e419fc7a8416245d995da00e37c0abe7c99bc165ba8f9f0f
SHA1 hash: 35c96843c03a17641885b9d69916ab319dd2a559
MD5 hash: 4694d9aea136882b13ab2be480b347ec
humanhash: delta-nineteen-seventeen-music
File name:kp.d.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:23'388 bytes
First seen:2025-08-14 12:55:45 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:0zInbQ+GBlKNTkye54BZMoC8zvhgZI+lJmLNPfhN4lyq1AZBe71B9ozc1FLdGKaV:PbalKNTk72ZMX8DG+mmLdkJ1AOhdTgik
TLSH T11FB2D09C983BC40C47FC1C9C10EAD3B8753800035AD7BDF675E3AB5AD1E656368E961A
Magika txt
Reporter aachum
Tags:104-164-55-96 ClickFix FakeCaptcha ps1 Rhadamanthys


Avatar
iamaachum
https://pub-dce4815fde8f4b84a55fe31ab7cf28c3.r2.dev/Google-Captcha-Continue-Latest-N-E-1-0-V.html => http://77.237.247.182/kp.d

Intelligence

File Origin
# of uploads :
1
# of downloads :
259
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689ddcdc48c64d68735c5f06
Tags:
autoit emotet
Verdict:
Unknown
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/689ddce36d7bffa0a7a20a9b/reports/06526837-8027-483e-a955-2a45ee0286f1/overview
Verdict:
Suspicious
Labled as:
PowerShell/Kryptik.KG trojan
Link:
https://www.hybrid-analysis.com/sample/3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1756924
Signature
AI detected malicious Powershell script
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found malware configuration
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1756924 Sample: kp.d.ps1 Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 54 lrWtmmcTVbCxB.lrWtmmcTVbCxB 2->54 62 Found malware configuration 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected RHADAMANTHYS Stealer 2->66 68 4 other signatures 2->68 12 powershell.exe 15 28 2->12         started        signatures3 process4 dnsIp5 58 77.237.247.182, 49685, 80 OWSES Spain 12->58 52 C:\Users\user\AppData\Local\Temp\YMyCT.exe, PE32 12->52 dropped 76 Loading BitLocker PowerShell Module 12->76 78 Powershell drops PE file 12->78 17 YMyCT.exe 30 12->17         started        21 conhost.exe 12->21         started        file6 signatures7 process8 file9 48 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 17->48 dropped 60 Multi AV Scanner detection for dropped file 17->60 23 cmd.exe 1 17->23         started        signatures10 process11 signatures12 70 Detected CypherIt Packer 23->70 72 Drops PE files with a suspicious file extension 23->72 26 cmd.exe 4 23->26         started        29 conhost.exe 23->29         started        process13 file14 50 C:\Users\user\AppData\Local\...\Flashers.pif, PE32 26->50 dropped 31 Flashers.pif 26->31         started        34 extrac32.exe 23 26->34         started        36 tasklist.exe 1 26->36         started        38 2 other processes 26->38 process15 signatures16 80 Switches to a custom stack to bypass stack traces 31->80 40 OpenWith.exe 31->40         started        44 WerFault.exe 31->44         started        process17 dnsIp18 56 104.164.55.96, 443, 49687 EGIHOSTINGUS United States 40->56 74 Switches to a custom stack to bypass stack traces 40->74 46 WerFault.exe 40->46         started        signatures19 process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9
Threat name:
Script-PowerShell.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-14 02:18:09 UTC
File Type:
Text
AV detection:
8 of 38 (21.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpvleelcj5fsnxzhjjum36z5jxl7mn77q34l32nr2zjs2iyolp4q._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery execution stealer
Link:
https://tria.ge/reports/250814-p5775agq6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

PowerShell (PS) ps1 3beab211624f4b26df274a68cdfb3d4dd7f637ff86f8bde9b1d6532d230e5bf9

(this sample)

Rhadamanthys

Executable exe 1695039099cdff9bf78f8314bf8b64788b020b5547993ec2c9ec524ad2a4a497

  
Link
https://tria.ge/250814-p3wfjstnw9/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 1695039099cdff9bf78f8314bf8b64788b020b5547993ec2c9ec524ad2a4a497
  
Dropping
MD5 f57049a019426a5016abc5604018a8a0

Comments