MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b
SHA3-384 hash: 26522a2534e2bf46479d6994a7933f36c2e62ecb594e6416618bf5de5ad275b083ac0a33fccf7283358a8ca2368a4151
SHA1 hash: fc8de9895a3744af20d9f40c4867864a76750de9
MD5 hash: 151f03d3629bd4b4af57bf3abfe59419
humanhash: whiskey-maine-moon-mike
File name:415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'871'400 bytes
First seen:2025-09-17 11:37:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 442cd635b0ae873bc92537f6f6554791 (3 x Rhadamanthys, 1 x LummaStealer)
ssdeep 24576:Nj/HX3/ocUIGFCMZCavhSebMQGOoaaa88Edn6wxWWaAicFJr1Nf9AcOc/HJ73Wtt:9fgc0FCCCUh8QEaaRNVWWtXPn9JvJjWT
Threatray 15 similar samples on MalwareBazaar
TLSH T1D485E042F5C30053FBE344706B2DC9A4C829AAA3BB185CDB91188594C5F9EDFDA7352B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b.exe
Verdict:
Malicious activity
Analysis date:
2025-09-16 22:37:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2cd2ae9-20af-4432-8f98-6144a64b231a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27902/
Verdict:
Clean
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9e68fd49ea3f1e4b6a2bf
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T14:50:00Z UTC
Last seen:
2025-09-16T14:50:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4a315a58-dd34-422c-9eb3-8ca4f4cc7399
Result
Threat name:
Clipboard Hijacker, Coinhive, RHADAMANTH
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1779172
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Downloads suspicious files via Chrome
Drops PE files with benign system names
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Schedule system process
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Clipboard Hijacker
Yara detected Coinhive miner
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1779172 Sample: 6LIZ1BO77v.exe Startdate: 17/09/2025 Architecture: WINDOWS Score: 100 104 x.ns.gin.ntt.net 2->104 106 twc.trafficmanager.net 2->106 108 6 other IPs or domains 2->108 136 Found malware configuration 2->136 138 Antivirus detection for URL or domain 2->138 140 Antivirus detection for dropped file 2->140 142 13 other signatures 2->142 12 6LIZ1BO77v.exe 1 2->12         started        15 msedge.exe 505 2->15         started        19 elevation_service.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 172 Found many strings related to Crypto-Wallets (likely being stolen) 12->172 174 Switches to a custom stack to bypass stack traces 12->174 23 OpenWith.exe 12->23         started        27 conhost.exe 12->27         started        132 192.168.2.5, 443, 49675, 49683 unknown unknown 15->132 134 239.255.255.250 unknown Reserved 15->134 92 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 15->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 15->94 dropped 29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        35 msedge.exe 15->35         started        file6 signatures7 process8 dnsIp9 116 openai-diversifies-with-ai.com 2.58.56.225, 49694, 6343 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 23->116 118 cloudflare-dns.com 104.16.248.249, 443, 49693, 49734 CLOUDFLARENETUS United States 23->118 156 Switches to a custom stack to bypass stack traces 23->156 37 dllhost.exe 8 23->37         started        120 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49715, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->120 122 ln-0007.ln-msedge.net 150.171.22.17, 443, 49711, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->122 124 14 other IPs or domains 29->124 signatures10 process11 dnsIp12 110 openai-diversifies-with-ai.com 37->110 112 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 37->112 114 8 other IPs or domains 37->114 96 C:\Users\user\AppData\Local\...\uV_.exe, PE32+ 37->96 dropped 98 C:\Users\user\AppData\Local\...\k%M~bL$.exe, PE32+ 37->98 dropped 148 System process connects to network (likely due to code injection or exploit) 37->148 150 Early bird code injection technique detected 37->150 152 Found many strings related to Crypto-Wallets (likely being stolen) 37->152 154 4 other signatures 37->154 42 k%M~bL$.exe 37->42         started        46 uV_.exe 37->46         started        48 chrome.exe 1 37->48         started        50 2 other processes 37->50 file13 signatures14 process15 file16 100 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 42->100 dropped 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->158 160 Query firmware table information (likely to detect VMs) 42->160 162 Modifies windows update settings 42->162 170 3 other signatures 42->170 52 cmd.exe 42->52         started        55 powershell.exe 42->55         started        57 cmd.exe 42->57         started        68 14 other processes 42->68 102 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 46->102 dropped 164 Multi AV Scanner detection for dropped file 46->164 166 Queries memory information (via WMI often done to detect virtual machines) 46->166 168 Drops PE files with benign system names 46->168 59 cmd.exe 46->59         started        70 2 other processes 46->70 61 chrome.exe 48->61         started        64 chrome.exe 48->64         started        66 msedge.exe 50->66         started        signatures17 process18 dnsIp19 144 Uses schtasks.exe or at.exe to add and modify task schedules 52->144 72 net.exe 52->72         started        74 conhost.exe 52->74         started        146 Loading BitLocker PowerShell Module 55->146 76 conhost.exe 55->76         started        78 WmiPrvSE.exe 55->78         started        82 2 other processes 57->82 84 2 other processes 59->84 126 googlehosted.l.googleusercontent.com 142.250.188.225, 443, 49707 GOOGLEUS United States 61->126 128 127.0.0.1 unknown unknown 61->128 130 clients2.googleusercontent.com 61->130 80 conhost.exe 68->80         started        86 14 other processes 68->86 88 3 other processes 70->88 signatures20 process21 process22 90 net1.exe 72->90         started       
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/151f03d3629bd4b4af57bf3abfe59419
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 20:59:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifnziyc6r2rw4mopl353mjrpmxjxl3wfixthzqlxntpdorfiz5nq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
0d95e636a7e133f2d04f8cdcc0e7e46628a3172f6f5e8e3f2ceea014c911fd4c
Rhadamanthys
2399672c48839929e4dd63c5107d1751128f74b30ea82dca873a8c27ed591c13
Rhadamanthys
2f994afc548d528e56a029cf4481d56a3459d438b46ec38403a977bc7d70dced
Rhadamanthys
b020a00d492e10c75d1002c2da0289a21219738ad456c7eb49721613665a9966
Rhadamanthys
c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
Rhadamanthys
ca9930f9537efeb6b704634f528df22dd857a71fcc060308d73ee2ed1a5d8d3a
Rhadamanthys
d962395717aee4ced8e39d3fe157df4aac1574f9466194abef32c0ac5a1b39d5
Rhadamanthys
e8b35a75b233e4de9d7240e8426a7204a95c7b7580375a63a1120e06e50e6eca
Rhadamanthys
error
Rhadamanthys
+ 5 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250917-nsgzqscr4s/
Behaviour
System Location Discovery: System Language Discovery
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/df788e38-a207-4291-9386-4a91ce2e4afa
Unpacked files
SH256 hash:
415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b
MD5 hash:
151f03d3629bd4b4af57bf3abfe59419
SHA1 hash:
fc8de9895a3744af20d9f40c4867864a76750de9
Link:
https://www.unpac.me/results/c732a92a-8fc8-4205-b09a-2fd7bf839caa/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/415b94605e8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/415b94605e8ea36e31cf5efbb6262f65d375eec545e67cc1776cde3744a8cf5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27902/

Comments