MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1
SHA3-384 hash: 43ae745774a2a1e2f51e97eff1f32d8e7a744d306470dd1257b48cb0d466b1cac71ec54c2819b6440acfab658f24e256
SHA1 hash: 831134d3076191d76da34c43aefcfadff521e2d0
MD5 hash: 81af32afbae3481a9783e8ab715142c0
humanhash: speaker-mobile-item-fourteen
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'622'016 bytes
First seen:2025-10-30 20:24:02 UTC
Last seen:2025-10-31 10:32:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 68 x LummaStealer, 61 x Rhadamanthys)
ssdeep 24576:pjFYPulYjCYne9xZ9un3btoc6GkH0FrBuvNPycznxU9fk6ciilXQlsRqbimUK:pjeulcCYne9+2HrHbn16cXlXMY6v
TLSH T1B075234ACAD810A9D0B6A37C85F003679B31B4714B7942AF65CD88B58F53BD8B931F26
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Rhadamanthys


Avatar
Bitsight
url: http://178.16.55.189/files/7559408112/3rLRc0r.exe

Intelligence

File Origin
# of uploads :
12
# of downloads :
105
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
main.exe
Verdict:
Malicious activity
Analysis date:
2025-10-30 13:45:29 UTC
Tags:
auto xworm rat python github possible-phishing amadey botnet stealer clickfix dcrat meterpreter backdoor payload metasploit miner asyncrat remote rhadamanthys xenorat tinynuke njrat donutloader loader remcos stealc generic lumma coinminer quasar agenttesla katzstealer svc vidar masslogger nanocore purelogs gh0st httpdebugger tool socks5systemz proxybot formbook snake keylogger bladabindi anti-evasion redline phishing salatstealer vipkeylogger purecrypter darktortilla crypter xtinyloader rustystealer lokibot aurotun venom clipper diamotrix pyinstaller hijackloader ghostsocks proxyware gcleaner ultravnc rmm-tool auto-sch-xml telegram frp ftp exfiltration
Link:
https://app.any.run/tasks/e2274dea-0974-4963-9d6c-a8706564d7c7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34843/
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.18834.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6903cd829942f1282ecaab8e
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
CAB installer lolbin microsoft_visual_cc obfuscated packed packed packer_detected rundll32 runonce threat
Link:
https://www.filescan.io/uploads/6903c993a3d1631095226909/reports/7586488d-bcd9-4c8c-9405-372cdea01f5a/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-30T13:41:00Z UTC
Last seen:
2025-11-01T05:17:00Z UTC
Hits:
~10
Detections:
VHO:Backdoor.Win32.Agent.gen HEUR:Trojan-Dropper.Win32.Agent.gen HEUR:Trojan.Script.AUO.gen Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4bfefe2f-a8ec-4516-8f12-eea89008f9c8
Score:
75%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/81af32afbae3481a9783e8ab715142c0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-10-30 20:25:45 UTC
File Type:
PE+ (Exe)
Extracted files:
31
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3pdofid4jf4secufxmbmtplr2bzl3s7bygqzqcar5i2c72avtqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251030-y65m3acv2c/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Unpacked files
SH256 hash:
4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1
MD5 hash:
81af32afbae3481a9783e8ab715142c0
SHA1 hash:
831134d3076191d76da34c43aefcfadff521e2d0
Link:
https://www.unpac.me/results/d776e45c-8d5a-4072-a2ce-11ddc7f7efb8/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4ede371503e2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34843/
  
URLhaus
https://urlhaus.abuse.ch/url/3687920/

Comments