MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
SHA3-384 hash: 605f9492b9905b7ba952658ab2cdab25b506784163ab59fb0877106d3f0c6757cd8ed676025fe43d7d85902dcf596e72
SHA1 hash: 19fd8d8d7498efa5f0e31c984145f47653bc4eb9
MD5 hash: 23de8dd16fd0bb828096dc77e1d3fe5e
humanhash: six-lithium-solar-kitten
File name:setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:145'920 bytes
First seen:2025-10-17 06:54:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f47f03a31db3c6213f84ebad374f0878 (1 x Rhadamanthys)
ssdeep 3072:xC6KQ81gZSdLtXsP2sOV7oTRzipomT2bE0fW7xNil:xCvHxXqs7Xpo4jil
Threatray 650 similar samples on MalwareBazaar
TLSH T101E34C57F76570FAE27A8934C8520945EB727CB68790AB9F07904EE50E236E08F3DB11
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:de-pumped exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-10-17 06:56:37 UTC
Tags:
lumma
Link:
https://app.any.run/tasks/c41d8f31-da72-4cfa-b8e6-3a00e8558a15

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33180/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f1e88672d478f905988d84
Tags:
extens virus small
Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypt explorer lolbin microsoft_visual_cc msiexec unsafe
Link:
https://www.filescan.io/uploads/68f1e87b057c46a471d0dd32/reports/d366c884-ab16-4804-98dd-bc458329736e/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-17T02:14:00Z UTC
Last seen:
2025-10-17T12:47:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Crypt.sb VHO:Trojan-PSW.Win32.Convagent.gen Trojan.Win64.SBEscape.sb Trojan.Win64.SBEscape.bjw Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/28544a21-1066-4a61-ae19-b25bdfde37e0
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1796985
Signature
Allocates memory in foreign processes
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1796985 Sample: setup.exe Startdate: 17/10/2025 Architecture: WINDOWS Score: 100 43 x.ns.gin.ntt.net 2->43 45 ts1.aco.net 2->45 47 6 other IPs or domains 2->47 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected RHADAMANTHYS Stealer 2->59 61 Sigma detected: Potentially Suspicious Malware Callback Communication 2->61 9 setup.exe 12 2->9         started        13 elevation_service.exe 2->13         started        15 elevation_service.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 55 bitbucket.org 104.192.142.26, 443, 49718 AMAZON-AESUS United States 9->55 75 Found direct / indirect Syscall (likely to bypass EDR) 9->75 19 OpenWith.exe 3 9->19         started        signatures6 process7 dnsIp8 49 45.143.167.64, 4433, 49722, 49736 ITTITT-ASRU Russian Federation 19->49 51 time-a-g.nist.gov 129.6.15.28, 123, 65092 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 19->51 53 6 other IPs or domains 19->53 63 Early bird code injection technique detected 19->63 65 Found evasive API chain (may stop execution after checking mutex) 19->65 67 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->67 69 9 other signatures 19->69 23 wmlaunch.exe 19->23         started        26 chrome.exe 1 19->26         started        28 chrome.exe 19->28         started        signatures9 process10 signatures11 71 Writes to foreign memory regions 23->71 73 Allocates memory in foreign processes 23->73 30 dllhost.exe 23->30         started        32 chrome.exe 26->32         started        35 chrome.exe 26->35         started        process12 dnsIp13 37 googlehosted.l.googleusercontent.com 142.250.64.161, 443, 49733, 49734 GOOGLEUS United States 32->37 39 127.0.0.1 unknown unknown 32->39 41 clients2.googleusercontent.com 32->41
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/23de8dd16fd0bb828096dc77e1d3fe5e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-10-17 06:55:55 UTC
File Type:
PE+ (Exe)
Extracted files:
2
AV detection:
13 of 24 (54.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ifobp5shrinogolo5zsguibfzhctdus35s3c3rda4kav7notjydq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
2771e4bb8df2b285faafe71c278f3c65ab27631e5bdeafab3b05075f74f71489
Rhadamanthys
56cf64ca5d71f829a5db031b0ea02ad7aaf9cafe881fbbe30487bd5dccf7a4f6
Rhadamanthys
595f8479ff564ed5582c5b4a077191002681853d787d9a24b95ef41a37e15d65
Rhadamanthys
5cb824080cc6e21d39b6605ea6238ec3c723c7043fbb1af3379ba198586ff088
Rhadamanthys
6dd93c496f4bf0993b9749fddc2e08f1bec7779bfc6d93d3ba63da8727169b36
Rhadamanthys
888356a703073d1533a01199c352ed4bbea51116af640f7f6f381bd89a97c888
Rhadamanthys
984f14e5ffd9a1a2c5f6c1015b8b42cf2eab941e1bcccb2b176736b7ac8bebbb
Rhadamanthys
9cc19abdfeed23bfda8ac18cea467746dc6e231ff041512bc92fd9846d9c3751
Rhadamanthys
d99f5dd0397a316ee7d28af1e8f5e5c558cacf00d3d21b10ef8135c94c9e3034
Rhadamanthys
error
Rhadamanthys
f3fd89e09cfb05356f82d1b04ecaed18b78514ea23dcd983908887984d0c3e1d
Rhadamanthys
+ 640 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/251017-hp6k2ayks7/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Legitimate hosting services abused for malware hosting/C2
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8cb7bb4e-54fd-4190-988f-4e1637b7b72e
Unpacked files
SH256 hash:
415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
MD5 hash:
23de8dd16fd0bb828096dc77e1d3fe5e
SHA1 hash:
19fd8d8d7498efa5f0e31c984145f47653bc4eb9
Link:
https://www.unpac.me/results/22ba2323-3bf9-46e3-ab1a-8b7cb5dbddaa/
Malware family:
GoInjector
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/415c17f6478a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Rhadamanthys

zip a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9

Rhadamanthys

Executable exe 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07

(this sample)

  
Dropped by
MD5 78879cbaf4e9e7156eb01cb67edc247e
  
Dropped by
SHA256 a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9
Cape
Cape
https://www.capesandbox.com/analysis/33180/

Comments