MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee
SHA3-384 hash: 976a4439dfc3864c94ef9ce8d04c4b1dc7d536bc68052a6816ee46e1b068c9f496dc8ddfadc9a8919e6200091d6c635e
SHA1 hash: b5b05fa41170dc1378596bdbb0ad9252b2050f88
MD5 hash: 53b8ea51ad1cd58085ba33decb8e9291
humanhash: table-asparagus-march-lactose
File name:53b8ea51ad1cd58085ba33decb8e9291.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'077'248 bytes
First seen:2025-03-21 05:29:03 UTC
Last seen:2025-03-21 05:51:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'655 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:rw+YodbZvTNLIqP2v5qTI5VL8X8L/1chuMVqk1pH+GEChnRu:rw+Y+TNIiGx08L/1MrqkreOn
TLSH T1443522E1B4C7D11ACAF75ABF09A19296E670916F5802E684F85C583F0F75BC58F03389
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter threatcat_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
439
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
53b8ea51ad1cd58085ba33decb8e9291.exe
Verdict:
No threats detected
Analysis date:
2025-03-21 05:30:22 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f5fd4918-ad8f-417c-9976-4708a914f00b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dcf9f89388e75d078f0ef8
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a recently created process
Restart of the analyzed sample
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm obfuscated obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/67dcf927b93e688233f1ab68/reports/1d54694e-03ab-4dba-98bd-d545b74b1dbd/overview
Verdict:
Malicious
Labled as:
IL:Trojan.MSILZilla
Link:
https://www.hybrid-analysis.com/sample/4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/46148d6e-c01e-4052-8b5e-53ae5886ed56
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1644915
Signature
.NET source code contains potential unpacker
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected AntiVM3
Yara detected Costura Assembly Loader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1644915 Sample: EaTo0d6YUT.exe Startdate: 21/03/2025 Architecture: WINDOWS Score: 100 48 twc.trafficmanager.net 2->48 50 time.windows.com 2->50 52 6 other IPs or domains 2->52 70 Suricata IDS alerts for network traffic 2->70 72 Found malware configuration 2->72 74 Antivirus detection for URL or domain 2->74 76 7 other signatures 2->76 11 EaTo0d6YUT.exe 15 2 2->11         started        15 elevation_service.exe 2->15         started        17 elevation_service.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 60 buypoint.shop 172.67.145.183, 443, 49722 CLOUDFLARENETUS United States 11->60 82 Found many strings related to Crypto-Wallets (likely being stolen) 11->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->84 86 Injects a PE file into a foreign processes 11->86 88 Switches to a custom stack to bypass stack traces 11->88 21 EaTo0d6YUT.exe 1 11->21         started        signatures6 process7 process8 23 svchost.exe 21->23         started        27 WerFault.exe 4 21->27         started        dnsIp9 54 176.65.141.165, 49723, 49740, 49750 WEBTRAFFICDE Germany 23->54 78 System process connects to network (likely due to code injection or exploit) 23->78 80 Switches to a custom stack to bypass stack traces 23->80 29 svchost.exe 6 23->29         started        signatures10 process11 dnsIp12 62 time-a-g.nist.gov 129.6.15.28, 123, 53846 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 29->62 64 ntp.nict.jp 133.243.238.163, 123, 53846 NICTNationalInstituteofInformationandCommunicationsTe Japan 29->64 66 4 other IPs or domains 29->66 90 Early bird code injection technique detected 29->90 92 Found many strings related to Crypto-Wallets (likely being stolen) 29->92 94 Tries to harvest and steal browser information (history, passwords, etc) 29->94 96 2 other signatures 29->96 33 msedge.exe 5 194 29->33         started        37 chrome.exe 29->37         started        39 chrome.exe 29->39         started        signatures13 process14 dnsIp15 46 239.255.255.250 unknown Reserved 33->46 68 Found strings related to Crypto-Mining 33->68 41 msedge.exe 33->41         started        44 chrome.exe 37->44         started        signatures16 process17 dnsIp18 56 chrome.cloudflare-dns.com 162.159.61.3, 443, 49743, 49744 CLOUDFLARENETUS United States 41->56 58 127.0.0.1 unknown unknown 44->58
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee/
Threat name:
ByteCode-MSIL.Trojan.PureLogStealer
Create hunting rule
Status:
Malicious
First seen:
2025-03-20 17:05:38 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jse5lqbv77zdb6yd57wpwuvv5t73jzpzlmn2upxtd7do3vo2klxa._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250321-f6lwvatwbz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/55f77f9b-220e-4ad2-bd4d-b2cf3218f4ff
Unpacked files
SH256 hash:
4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee
MD5 hash:
53b8ea51ad1cd58085ba33decb8e9291
SHA1 hash:
b5b05fa41170dc1378596bdbb0ad9252b2050f88
Link:
https://www.unpac.me/results/de7d15e2-0df3-416b-8047-31c6cba4a938/
SH256 hash:
e380175ef0db75f6184e1eb3f19b322acb73cb6d1fb668a42d5376d40c6164c3
MD5 hash:
56cfe32c0a461f36e98e4d5d53d68039
SHA1 hash:
319bd22c80b93703c45aef8614c11c5c545b1694
Detections:
SUSP_OBF_NET_Reactor_Indicators_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/de7d15e2-0df3-416b-8047-31c6cba4a938/
SH256 hash:
1be96d8a0791f6ccce185ca73205f347d7bfa002ac4a729c1eb1a5fb6fb53e80
MD5 hash:
52670cd9507ecc5c8e83e6cf50eb50eb
SHA1 hash:
35fd2ba11511943475ee4eef62da20183b321ee6
Link:
https://www.unpac.me/results/de7d15e2-0df3-416b-8047-31c6cba4a938/
SH256 hash:
78f73e1734daa918b253517c75971fbb8df773a3d77d02a752e9a0ad1711a677
MD5 hash:
f9d2985aa1c41cca281321fffb5ed424
SHA1 hash:
3a7a58d2dcae2762882357ae34d372744b1dbb9d
Link:
https://www.unpac.me/results/de7d15e2-0df3-416b-8047-31c6cba4a938/
SH256 hash:
19efdf03cb94895935225795f68bb9abfded1869687367013b8b4eee3cc99372
MD5 hash:
4e29f75c0c51b9dec76955f0382d9541
SHA1 hash:
4899aa8e3f57339cbaec8faab777897a76fe1c3a
Link:
https://www.unpac.me/results/de7d15e2-0df3-416b-8047-31c6cba4a938/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4c89d5c035fff230fb03efecfb52b5ecffb4e5f95b1baa3ef31fc6edd5da52ee

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high

Comments