MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
SHA3-384 hash: 73bc031e6e9ef2cbcc2f7d2ee61aae4b082ad9cffecdf9b3bbd3edd6b43eb0ac83d123e4c439ffd1e5a332f3300b43d0
SHA1 hash: 1222e14a265a4163a17cb9d3e56bb88aded4f6f4
MD5 hash: ff5473acde649691bd4ee7d1c9c9ab33
humanhash: timing-pluto-equal-winner
File name:Setup - 1.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'505'431 bytes
First seen:2025-10-17 17:55:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ac1646024d52d1534a88da2e8037cd (7 x OffLoader, 5 x HijackLoader, 5 x Tofsee)
ssdeep 196608:xDbSxcJWrlYF6YoaJkEVosveyvuwlspKScaTd:xD5YZY4YLJk/Mdsp9Td
TLSH T1AF661213F28D633EE469563A49769A10953FAA20A51E8CB396EC3D4CCE390601D7FF47
TrID 49.8% (.EXE) Inno Setup installer (107240/4/30)
20.0% (.EXE) InstallShield setup (43053/19/16)
19.3% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.8% (.EXE) Win64 Executable (generic) (10522/11/4)
2.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:80-97-160-63 exe HIjackLoader Rhadamanthys


Avatar
iamaachum
https://fullsecure.cfd/alpha-01/ => https://mega.nz/file/rhJkGJAS#IbNtcZwlVHJvmHfA2hFraKsN3YRNqczBCcOVgHlW0a4

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd.exe
Verdict:
Malicious activity
Analysis date:
2025-10-17 18:12:51 UTC
Tags:
autoit hijackloader loader anti-evasion rhadamanthys stealer
Link:
https://app.any.run/tasks/ca969051-2f54-4714-89d5-521dfaa4a7ff

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33231/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f2842f72d478f90598c21c
Tags:
dropper virus spawn
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
embarcadero_delphi fingerprint infostealer installer invalid-signature obfuscated overlay signed threat xworm
Link:
https://www.filescan.io/uploads/68f2834b057c46a471d1e24b/reports/c8643434-b7e8-404b-bd22-bca1972ff238/overview
Verdict:
Malicious
Labled as:
Win/grayware_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-15T13:05:00Z UTC
Last seen:
2025-10-19T16:11:00Z UTC
Hits:
~1000
Detections:
Trojan.Win32.Delf.sb HEUR:Trojan-Dropper.Win32.Agent.gen Trojan-Dropper.Win64.DllHijack.c HEUR:Trojan-PSW.Win32.Crypt.gen Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb Trojan.Win64.DLLhijack.bgu not-a-virus:HEUR:RiskTool.Win32.ProcHack.gen
Link:
https://opentip.kaspersky.com/4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0fa60692-a162-4949-b26d-64559d153bd6
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1797328
Signature
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797328 Sample: Setup - 1.exe Startdate: 17/10/2025 Architecture: WINDOWS Score: 100 52 www.ibm.com 2->52 54 outer-global-dual.ibmcom-tls12.edgekey.net 2->54 56 2 other IPs or domains 2->56 64 Found malware configuration 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 2 other signatures 2->70 11 Setup - 1.exe 2 2->11         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\Setup - 1.tmp, PE32 11->42 dropped 14 Setup - 1.tmp 3 8 11->14         started        process6 dnsIp7 60 e7817.dscx.akamaiedge.net 23.10.96.138, 443, 49687 AKAMAI-ASUS United States 14->60 62 ibm.com 23.205.138.225, 443, 49686 AKAMAI-ASN1EU United States 14->62 44 C:\Users\user\AppData\Local\...\cmdres.DLL, PE32+ 14->44 dropped 46 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 14->46 dropped 48 C:\Users\user\AppData\Local\...\MSSP7EN.DLL, PE32+ 14->48 dropped 50 C:\Users\user\AppData\...\AdapterStellar.exe, PE32+ 14->50 dropped 18 AdapterStellar.exe 6 14->18         started        file8 process9 file10 32 C:\ProgramData\scan_guard_dbg\cmdres.DLL, PE32+ 18->32 dropped 34 C:\ProgramData\scan_guard_dbg\MSSP7EN.DLL, PE32+ 18->34 dropped 36 C:\ProgramData\...\AdapterStellar.exe, PE32+ 18->36 dropped 72 Found direct / indirect Syscall (likely to bypass EDR) 18->72 22 AdapterStellar.exe 5 18->22         started        signatures11 process12 file13 38 C:\Users\user\AppData\Roaming\...\Stipa.scr, PE32+ 22->38 dropped 40 C:\Users\user\AppData\Local\...\7EC7072.tmp, PE32+ 22->40 dropped 74 Drops PE files with a suspicious file extension 22->74 76 Modifies the context of a thread in another process (thread injection) 22->76 78 Found hidden mapped module (file has been removed from disk) 22->78 80 3 other signatures 22->80 26 Stipa.scr 22->26         started        signatures14 process15 dnsIp16 58 80.97.160.63, 443, 49689 RCS-RDS73-75DrStaicoviciRO Romania 26->58 82 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->82 84 Found direct / indirect Syscall (likely to bypass EDR) 26->84 30 WerFault.exe 2 26->30         started        signatures17 process18
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtxmt2j2caqws7s6eowd4z6prbw235ud4po4id32fr3qcficps6q._file
Result
Malware family:
hijackloader
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader discovery loader
Link:
https://tria.ge/reports/251017-wh3gpatjav/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
HijackLoader
Hijackloader family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7505074e-7845-416f-8ed1-88c6bc5ab6b1
Unpacked files
SH256 hash:
4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd
MD5 hash:
ff5473acde649691bd4ee7d1c9c9ab33
SHA1 hash:
1222e14a265a4163a17cb9d3e56bb88aded4f6f4
Link:
https://www.unpac.me/results/a32bad7a-e528-4c92-b4b9-62a1d68f77f3/
SH256 hash:
5ddad91a95ac2e0975b12c143cc0c99c106266b56000557b0460a2be107cb285
MD5 hash:
eedfbc6533a74617f2950ad2187e2665
SHA1 hash:
3a9b7f07fd72374416e0c65df540dc946a869f42
Link:
https://www.unpac.me/results/a32bad7a-e528-4c92-b4b9-62a1d68f77f3/
SH256 hash:
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95
MD5 hash:
e4211d6d009757c078a9fac7ff4f03d4
SHA1 hash:
019cd56ba687d39d12d4b13991c9a42ea6ba03da
Link:
https://www.unpac.me/results/a32bad7a-e528-4c92-b4b9-62a1d68f77f3/
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ceec9e93a10/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 4ceec9e93a1021697e5e23ac3e67cf886dadf683e3ddc40f7a2c770115027cbd

(this sample)

  
Link
https://tria.ge/251017-tsahjssmew/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/33231/

Comments