MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96
SHA3-384 hash: 0ad5ffe14ff2c00595dfc53344b524817c730b2dc27b7ebfab5131b30d1afae4ec88d593ee069a64302bcabe2db6a526
SHA1 hash: 0cb187d8f9a6810866703ad4666d5d3a367fe808
MD5 hash: a05236ad8b9b55807b55162a934eab1c
humanhash: tango-don-diet-aspen
File name:benign.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:507'904 bytes
First seen:2025-05-01 20:23:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 81dd082c3ea735ad5ba4cf627001ae92 (10 x Rhadamanthys)
ssdeep 12288:Q5p1UZ32H10rH5ZVZEsh8ZskmY5a4JNXuOwhDM/K:Q5pOZGHOrH5RLG64JNXQ1a
Threatray 302 similar samples on MalwareBazaar
TLSH T144B4CE0E69BA4D37C2BD1ABB05A59381410FB0905082087FF3DDC96BDE166A38BE575F
TrID 32.2% (.EXE) Win64 Executable (generic) (10522/11/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4504/4/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 926b23534d61338c (51 x Rhadamanthys)
Reporter thesdwe
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
464
Origin country :
CA CA
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
benign.exe
Verdict:
Malicious activity
Analysis date:
2025-05-01 12:40:26 UTC
Tags:
rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/8f30936b-6da5-4efc-8979-dffa4786029b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5644/
Detection(s):
SecuriteInfo.com.Trojan.Siggen30.63757.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6813daf44355f44aee680555
Tags:
spawn virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Creating a window
Creating a file
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Unauthorized injection to a system process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc overlay
Link:
https://www.filescan.io/uploads/6813d8680b64e174c413b839/reports/9c70b9c0-5e2b-40b9-94a4-bad36a396959/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ac954ab1-b9c7-4482-9608-243b09d1d280
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1679421
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1679421 Sample: benign.exe Startdate: 01/05/2025 Architecture: WINDOWS Score: 100 91 x.ns.gin.ntt.net 2->91 93 twc.trafficmanager.net 2->93 95 11 other IPs or domains 2->95 127 Suricata IDS alerts for network traffic 2->127 129 Found malware configuration 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 6 other signatures 2->133 10 benign.exe 1 2->10         started        13 AvastBrowserUpdate.exe 2->13         started        16 msedge.exe 16 77 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 153 Switches to a custom stack to bypass stack traces 10->153 20 svchost.exe 10->20         started        111 ipv4.imgur.map.fastly.net 199.232.192.193 FASTLYUS United States 13->111 24 svchost.exe 13->24         started        113 239.255.255.250 unknown Reserved 16->113 26 msedge.exe 16->26         started        28 msedge.exe 16->28         started        30 msedge.exe 16->30         started        signatures6 process7 dnsIp8 97 147.124.219.157, 3243, 49681, 49705 AC-AS-1US United States 20->97 135 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->135 137 Switches to a custom stack to bypass stack traces 20->137 32 svchost.exe 7 20->32         started        139 System process connects to network (likely due to code injection or exploit) 24->139 141 Query firmware table information (likely to detect VMs) 24->141 143 Checks if the current machine is a virtual machine (disk enumeration) 24->143 145 Tries to detect sandboxes / dynamic malware analysis system (registry check) 24->145 37 svchost.exe 24->37         started        99 s-part-0041.t-0009.fb-t-msedge.net 13.107.253.69, 443, 49698 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->99 101 ax-0002.ax-msedge.net 150.171.28.11, 443, 49702 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->101 103 svc.ms-acdc-teams.office.com 52.123.249.184, 443, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->103 signatures9 process10 dnsIp11 81 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 32->81 83 gbg1.ntp.netnod.se 194.58.203.20 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 32->83 89 4 other IPs or domains 32->89 73 C:\Users\user\AppData\Local\...\5XOtMd8w.exe, PE32 32->73 dropped 115 Benign windows process drops PE files 32->115 117 Early bird code injection technique detected 32->117 119 Found many strings related to Crypto-Wallets (likely being stolen) 32->119 121 Queues an APC in another process (thread injection) 32->121 39 5XOtMd8w.exe 32->39         started        42 setup_wm.exe 32->42         started        45 chrome.exe 32->45         started        55 2 other processes 32->55 85 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 37->85 87 ntp1.hetzner.de 213.239.239.164 HETZNER-ASDE Germany 37->87 75 C:\Users\user\AppData\Local\...\B$bR2zrMm.exe, PE32 37->75 dropped 123 Tries to harvest and steal browser information (history, passwords, etc) 37->123 125 Maps a DLL or memory area into another process 37->125 47 B$bR2zrMm.exe 37->47         started        49 msedge.exe 37->49         started        51 chrome.exe 37->51         started        53 chrome.exe 37->53         started        file12 signatures13 process14 file15 147 Writes to foreign memory regions 39->147 149 Allocates memory in foreign processes 39->149 151 Injects a PE file into a foreign processes 39->151 57 csc.exe 39->57         started        77 C:\Users\user\AppData\...\goopdate.dll, PE32 42->77 dropped 79 C:\Users\user\...\AvastBrowserUpdate.exe, PE32 42->79 dropped 61 dllhost.exe 42->61         started        63 dllhost.exe 42->63         started        65 chrome.exe 45->65         started        67 msedge.exe 49->67         started        69 chrome.exe 51->69         started        71 msedge.exe 55->71         started        signatures16 process17 dnsIp18 105 192.30.241.106 INTELLIGENT-TECHNOLOGY-SOLUTIONSUS United States 57->105 155 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 57->155 157 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 57->157 159 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 57->159 161 2 other signatures 57->161 107 127.0.0.1 unknown unknown 65->107 109 chrome.cloudflare-dns.com 172.64.41.3 CLOUDFLARENETUS United States 67->109 signatures19
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-05-01 20:24:08 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jflx3fizkpqyj7pmuvreddk7ofieu3vhn267tsth7ale4pilnola._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
Rhadamanthys
05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Rhadamanthys
6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
Rhadamanthys
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1
Rhadamanthys
b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Rhadamanthys
c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
Rhadamanthys
d44625181f7b3c8dd4e016b9b2751f48d8482cca938a2aa3bd5a70349c5a2380
Rhadamanthys
e0e0b3d2890053cbdf84d6c3177e267d8f767f4b2b6d6e5fb2de5860b0a09ee2
Rhadamanthys
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Rhadamanthys
eff0fe608633857580c06b7371c6697a0488912b243b14f02d06b95374fb7707
Rhadamanthys
error
Rhadamanthys
+ 292 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250501-y6q5nswydw/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/26585844-5b06-4418-bbb8-3c1cfedad06a
Unpacked files
SH256 hash:
49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96
MD5 hash:
a05236ad8b9b55807b55162a934eab1c
SHA1 hash:
0cb187d8f9a6810866703ad4666d5d3a367fe808
Link:
https://www.unpac.me/results/6a5fab3f-34b1-43cf-89cf-6a41fe1d52e6/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/49577d951953/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49577d951953e184fdeca562418d5f71504a6ea76ebdf9ca67f8164e3d0b6b96

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_Sandworm_ArguePatch_Apr_2022_1
Create hunting rule
Author:Arkbird_SOLG
Description:Detect ArguePatch loader used by Sandworm group for load CaddyWiper
Reference:https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5644/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
SHELL_APIManipulates System ShellSHELL32.dll::SHGetFileInfoA
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW

Comments