MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA 1 File information Comments

SHA256 hash:	4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d
SHA3-384 hash:	8f5d578cc8c988cd59c6d574d85b6fa2c4f82cc895bd173366602db65096d8e40734aeadb50f3ae29a65cb54111bf494
SHA1 hash:	4fee7cf42dc07ca6d4fc391be2fedbc147da2ba1
MD5 hash:	7b00f0b51dfcbdd8a7cc28841a655dc5
humanhash:	vegan-helium-magnesium-india
File name:	file
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'671'168 bytes
First seen:	2025-11-02 22:36:34 UTC
Last seen:	2025-11-02 23:22:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep	24576:rjvqszqRz9usa2TIOkBI8OTXElQNOo8p8YTl13eNV8Jhe1DTFBCkGX6BD5BX4iKT:rjvqsczC2TqBZBl5pXT0MhsDxcxHQJ
Threatray	299 similar samples on MalwareBazaar
TLSH	T1F475337463D6905DE8624BB885F112037A7BB4A61F38A2FF3AC4C77C89536D55838F0A
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe fbf543 Rhadamanthys

Bitsight

url: http://178.16.55.189/files/7559408112/8RsL970.exe

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d.bin.exe

Verdict:

Malicious activity

Analysis date:

2025-11-02 22:26:08 UTC

Tags:

autoit rhadamanthys stealer websocket

Link:

https://app.any.run/tasks/28295220-823e-41cd-ae4f-99aa10e44d17

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35038/

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.18834.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6907dd039942f1282ecb897f

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Launching a process

Creating a process with a hidden window

Running batch commands

Moving a file to the %temp% subdirectory

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a window

Creating a process from a recently created file

DNS request

Unauthorized injection to a recently created process

Сreating synchronization primitives

Connection attempt

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

adaptive-context CAB installer installer installer-heuristic lolbin microsoft_visual_cc packed rundll32 runonce

Link:

https://www.filescan.io/uploads/6907dcfb21d55ed90d452425/reports/06d7f729-7034-48d9-93be-d9790d9c1f0c/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-02T19:29:00Z UTC

Last seen:

2025-11-04T13:01:00Z UTC

Hits:

~100

Detections:

Backdoor.Agent.UDP.C&C HEUR:Trojan-Dropper.Win32.Agent.gen HEUR:Trojan.Script.AUO.gen VHO:Backdoor.Win32.Agent.gen

Link:

https://opentip.kaspersky.com/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/e7fa8da1-d8d4-4c84-a83a-5781a134215d

Score:

90%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/7b00f0b51dfcbdd8a7cc28841a655dc5

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d

Threat name:

Win64.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-11-02 22:26:10 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

23 of 38 (60.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=js3caquaqdikfwo6dc55oaxr3rtlomuunin3sp3k3oyfsqgmvioq._file

Verdict:

malicious

Label(s):

smokeloader

Rhadamanthys

52dd5ff3704a1d0be979be5a99be19054f5717fe3bc7ff9e7609d211417fb917

Rhadamanthys

56d76ae1d2fe513e9de273d623b46aea8c944413a1e78015d72cdf910c1b091a

Rhadamanthys

5df8dc57b9b97522aadc906667f82a1185e6bbee062ae9fbaba297b1ccc57b58

Rhadamanthys

6c58064777ef165869c15b19dba9097e4fa66890344cf6346d4f10239d0c0415

Rhadamanthys

738210b7ab282c0a2357a333a6ce02d61fcc1f9c1ddb69d380c9fa9bee686cee

Rhadamanthys

946d29dd4c5436460dd2b4a1c0966d701248df529c8a51a64f1b63ab05baeba9

Rhadamanthys

9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206

Rhadamanthys

b14460c1b9e5d88d6f41d605b88e0de4bbac646b3c578e514bfcff5ba1dd584f

Rhadamanthys

d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007

Rhadamanthys

error

Rhadamanthys

+ 289 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery persistence

Link:

https://tria.ge/reports/251102-2jl4zsdk7v/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/9835721e-7b99-4ab2-879e-fddc4ccbe21f

Unpacked files

SH256 hash:

4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d

MD5 hash:

7b00f0b51dfcbdd8a7cc28841a655dc5

SHA1 hash:

4fee7cf42dc07ca6d4fc391be2fedbc147da2ba1

Link:

https://www.unpac.me/results/788c3257-b776-4010-b21c-7a8af05e1463/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4cb620428080/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4cb620428080d0a2d9de18bbd702f1dc66b732946a1bb93f6adbb05940ccaa1d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.