MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
SHA3-384 hash: 4722977919f27546ee5a7931874b54aa66e9e73c6f993b14a24a0475f854f9aec1994b152a61d714a9a9bedcbe6e2a6e
SHA1 hash: 63619d56b2883ae841b79020e622bc1528e2d272
MD5 hash: 3695af7214e69ffe506dc145e8bb8e47
humanhash: friend-hawaii-three-london
File name:Software.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'412'936 bytes
First seen:2025-07-31 10:21:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e07647ab48d4be367afc7221135c1e04 (12 x Rhadamanthys)
ssdeep 196608:8VjScVcPWEtRk4iQT+7edIOzw/BUDYbHv+5gLxP3GCJsSyMgMGk6g:8gacFtO2T0eaOzw/Bqqv++/Jsf97g
TLSH T1A8A63387289B81FDE9C52930571B7FCF33F296B649858C38EAC478879911F357326862
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
46
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Software.exe
Verdict:
Malicious activity
Analysis date:
2025-07-31 10:21:26 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/2639e98a-dc7a-4ce1-9c05-067a958badc6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17984/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b43a60b4775fb2133e526
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature overlay packed signed
Link:
https://www.filescan.io/uploads/688b43ddc79df08ef0994433/reports/d9906283-06eb-4f5b-9f07-74ffd3c44970/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/cec19da1-cc2c-4418-9dd5-a281bb8a49d8
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747694
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies windows update settings
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747694 Sample: Software.exe Startdate: 31/07/2025 Architecture: WINDOWS Score: 100 92 ts1.aco.net 2->92 94 time.google.com 2->94 96 5 other IPs or domains 2->96 116 Antivirus detection for dropped file 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Yara detected RHADAMANTHYS Stealer 2->120 122 6 other signatures 2->122 12 Software.exe 2->12         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 6 other processes 2->19 signatures3 process4 signatures5 146 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 12->148 150 Switches to a custom stack to bypass stack traces 12->150 21 OpenWith.exe 12->21         started        152 Changes security center settings (notifications, updates, antivirus, firewall) 15->152 25 conhost.exe 17->25         started        27 schtasks.exe 17->27         started        process6 dnsIp7 106 xmas-song-dungeon.world 104.37.175.226, 1888, 49726, 49740 MAJESTIC-HOSTING-01US United States 21->106 108 cloudflare-dns.com 104.16.249.249, 443, 49725, 49739 CLOUDFLARENETUS United States 21->108 138 Query firmware table information (likely to detect VMs) 21->138 140 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->140 142 Deletes itself after installation 21->142 144 3 other signatures 21->144 29 dllhost.exe 5 21->29         started        signatures8 process9 dnsIp10 110 xmas-song-dungeon.world 29->110 112 time-a-g.nist.gov 129.6.15.28, 123, 54419 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 29->112 114 7 other IPs or domains 29->114 88 C:\Users\user\AppData\Local\...\91qo1J2.exe, PE32+ 29->88 dropped 90 C:\Users\user\AppData\Local\...\6k(1.exe, PE32 29->90 dropped 162 System process connects to network (likely due to code injection or exploit) 29->162 164 Early bird code injection technique detected 29->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 29->166 168 3 other signatures 29->168 34 91qo1J2.exe 9 2 29->34         started        38 wmpnscfg.exe 29->38         started        40 6k(1.exe 29->40         started        42 2 other processes 29->42 file11 signatures12 process13 file14 84 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 34->84 dropped 124 Query firmware table information (likely to detect VMs) 34->124 126 Modifies windows update settings 34->126 128 Adds a directory exclusion to Windows Defender 34->128 136 2 other signatures 34->136 44 cmd.exe 1 34->44         started        47 cmd.exe 34->47         started        49 powershell.exe 23 34->49         started        62 15 other processes 34->62 130 Writes to foreign memory regions 38->130 132 Allocates memory in foreign processes 38->132 51 dllhost.exe 38->51         started        86 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 40->86 dropped 134 Antivirus detection for dropped file 40->134 54 cmd.exe 40->54         started        56 cmd.exe 40->56         started        58 chrome.exe 42->58         started        60 chrome.exe 42->60         started        signatures15 process16 dnsIp17 154 Uses schtasks.exe or at.exe to add and modify task schedules 44->154 156 Uses powercfg.exe to modify the power settings 44->156 158 Modifies power options to not sleep / hibernate 44->158 64 net.exe 1 44->64         started        66 conhost.exe 44->66         started        76 4 other processes 47->76 160 Loading BitLocker PowerShell Module 49->160 68 conhost.exe 49->68         started        70 WmiPrvSE.exe 49->70         started        98 45.141.233.252, 44133, 49745, 49750 ASDETUKhttpwwwheficedcomGB Bulgaria 51->98 72 conhost.exe 54->72         started        74 schtasks.exe 54->74         started        78 2 other processes 56->78 100 googlehosted.l.googleusercontent.com 142.250.176.193, 443, 49736, 49737 GOOGLEUS United States 58->100 102 127.0.0.1 unknown unknown 58->102 104 clients2.googleusercontent.com 58->104 80 17 other processes 62->80 signatures18 process19 process20 82 net1.exe 1 64->82         started       
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/3695af7214e69ffe506dc145e8bb8e47
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2025-07-31 10:21:41 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jxtnn3ca5jptjsbxbdssl7sg2tlgd4zbdoreqs5yhaf5ezmze77a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250731-meastsvkt7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a9963e7-1e9b-4276-b074-21df0ae2a6da
Unpacked files
SH256 hash:
4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
MD5 hash:
3695af7214e69ffe506dc145e8bb8e47
SHA1 hash:
63619d56b2883ae841b79020e622bc1528e2d272
Link:
https://www.unpac.me/results/a6cf8eb4-a910-4dc8-ab87-c91e52dc208a/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4de6d6ec40ea/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_beacon_detected
Create hunting rule
Author:0x0d4y
Description:This rule detects cobalt strike beacons.
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17984/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW

Comments