MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961
SHA3-384 hash:	e83fc43f15e4a45a3d972654388bb73622d1aa2886849b9afe1075cc83457d580df7dabb96fdb9686aa5067665358a3f
SHA1 hash:	a6fd48655eb8a1eaf31be921c54043c83b2f6b23
MD5 hash:	a42f987b53545c0b57bd60916e13bc6f
humanhash:	king-golf-march-michigan
File name:	Pandora.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	10'340'744 bytes
First seen:	2025-08-04 22:54:18 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e07647ab48d4be367afc7221135c1e04 (12 x Rhadamanthys)
ssdeep	196608:JJe+BOVDZKkF8PqtXem3ZM5o14WW0XnxTlCII9hQpbIovk3MvqjminUG:JJ1kFKcQo14W7TUbwsjMvcnUG
Threatray	226 similar samples on MalwareBazaar
TLSH	T1D2A6338609EFD1F5CDC2243883275ADB37F386B609984C28BEC47D06ADA6F717027995
TrID	28.5% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4504/4/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Pandora.exe

Verdict:

Malicious activity

Analysis date:

2025-08-04 21:26:17 UTC

Tags:

rhadamanthys shellcode

Link:

https://app.any.run/tasks/cee114e3-94d4-4c20-a6fc-5884a953fa4c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18909/

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6891257a0b4775fb21364c04

Tags:

injection obfusc virus

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Detecting VM

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

DNS request

Sending a UDP request

Reading critical registry keys

Searching for the window

Running batch commands

Launching the process to interact with network services

Unauthorized injection to a system process

Stealing user critical data

Adding an exclusion to Microsoft Defender

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

infostealer invalid-signature overlay packed rhadamanthys signed

Link:

https://www.filescan.io/uploads/68913a253228e5a4037f7a1e/reports/288c74cc-1237-4160-9f03-9f74c9522ca3/overview

Verdict:

Malicious

Labled as:

Kelios.Generic

Link:

https://www.hybrid-analysis.com/sample/4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/7c6193b8-0085-4542-8119-0faafff31add

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/a42f987b53545c0b57bd60916e13bc6f

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961

Threat name:

Win32.Trojan.Kelios

Status:

Malicious

First seen:

2025-08-01 18:32:02 UTC

File Type:

PE (Exe)

AV detection:

26 of 38 (68.42%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jwnqb3phcscd4q7wjsnqnavmd5ai4m76mubpmeperp5uqrx3rfqq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

3e299b0743fca7b231c17bc0748a8cef3739654f09bb2d8a0a33e3b2af7249c5

Rhadamanthys

5d251fd02e2d0e0e9bd67dba8cd808b8f8011faee8bed973fb19254a99fa784a

Rhadamanthys

5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb

Rhadamanthys

7cf95f58a0394fae9f65ec653b4779dc237a6cc0e88fcb6a477335e1cffd9392

Rhadamanthys

b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325

Rhadamanthys

c108a671bd78a29b6ddac6013cce91c94627a8e4f4f8f6e84aa7e75be875ae82

Rhadamanthys

c3b236af617c181af2fd23ffedbd6a62bf33b8978e17bc2f731686e938eb60d6

Rhadamanthys

dfb7fd652369ad522db2bdfbb1a17017a22c57639329b5067a6bb457738ab324

Rhadamanthys

e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83

Rhadamanthys

error

Rhadamanthys

+ 216 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250804-2vqxbaylw9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Deletes itself

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/326b28da-9ae5-45ba-a9bb-125b54a8eee7

Unpacked files

SH256 hash:

4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961

MD5 hash:

a42f987b53545c0b57bd60916e13bc6f

SHA1 hash:

a6fd48655eb8a1eaf31be921c54043c83b2f6b23

Link:

https://www.unpac.me/results/a7c69fbe-84e6-44b6-aaa2-2e76f32dd0d3/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18909/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileMappingW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample