MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
SHA3-384 hash: e8f0a6467625c00e6f6685cc50713d8f34f5b337ff20e6d1a1efa1d9c43c1b48f65fbff0679763547e822617a2bcfb06
SHA1 hash: b26367c5b3c1fa2f9be3649e4b1e9004a6720430
MD5 hash: 796a2856b5cfc1fda9d184927e3920eb
humanhash: lamp-oregon-yankee-grey
File name:setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'679'519 bytes
First seen:2025-09-28 12:49:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 49152:IqPfes/WOufmreRmSC0YdsF+E5AlMgFonlvw:ZnesYpjYdsF+E5AKEou
Threatray 60 similar samples on MalwareBazaar
TLSH T12E7533701ADDE433F7E11BBE293964605A6AF9B2817660188F08DDC8B731353C51EB67
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:103-245-231-187 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://cdxtsd.cfd/ => https://mega.nz/file/R2YGCKpD#Ov9CSI7gwLVLfoAJpPVMDR0UN253zrVqwIB64nctJ3o

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-28 12:51:46 UTC
Tags:
autoit lumma stealer anti-evasion rhadamanthys
Link:
https://app.any.run/tasks/c3af2191-ea6d-4e82-8158-1bdb296d2659

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29325/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d92f2673afd01b31e0eaab
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer invalid-signature microsoft_visual_cc nsis overlay packed signed
Link:
https://www.filescan.io/uploads/68d92f2674e5a2898996c569/reports/38fca0df-e3df-48df-9b2e-48cab685e416/overview
Verdict:
Malicious
Labled as:
Malware_56.0
Link:
https://www.hybrid-analysis.com/sample/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-28T09:15:00Z UTC
Last seen:
2025-09-28T09:15:00Z UTC
Hits:
~100
Detections:
HEUR:Backdoor.Win32.Agent.gen Backdoor.Agent.UDP.C&C HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f36a0a54-b6bd-471b-b21e-ca97bf79fafd
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1785483
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1785483 Sample: setup.exe Startdate: 28/09/2025 Architecture: WINDOWS Score: 100 41 SaJbOBFDlIXHolLu.SaJbOBFDlIXHolLu 2->41 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected RHADAMANTHYS Stealer 2->53 55 2 other signatures 2->55 11 setup.exe 26 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->39 dropped 14 cmd.exe 1 11->14         started        process6 signatures7 65 Drops PE files with a suspicious file extension 14->65 17 cmd.exe 4 14->17         started        20 conhost.exe 14->20         started        process8 file9 37 C:\Users\user\AppData\Local\...\Fares.scr, PE32+ 17->37 dropped 22 Fares.scr 17->22         started        25 extrac32.exe 20 17->25         started        27 tasklist.exe 1 17->27         started        29 2 other processes 17->29 process10 signatures11 57 Hijacks the control flow in another process 22->57 59 Modifies the context of a thread in another process (thread injection) 22->59 61 Injects a PE file into a foreign processes 22->61 63 Found direct / indirect Syscall (likely to bypass EDR) 22->63 31 Fares.scr 22->31         started        process12 dnsIp13 43 103.245.231.187, 443, 49721 VECTANTARTERIANetworksCorporationJP Japan 31->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->45 47 Found direct / indirect Syscall (likely to bypass EDR) 31->47 35 WerFault.exe 2 31->35         started        signatures14 process15
Score:
76%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/796a2856b5cfc1fda9d184927e3920eb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-28 12:50:41 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kaich756xdtavqu6lgy5ay4yhbwlz5zf27mql5myi63bdnwb62xa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
Rhadamanthys
0d39cee98ccb7e1b971ba904ca00604866a90fe960b930df65e7d8fa8b1486ae
Rhadamanthys
1fedf5bffa0e08619643f6c90c358f3647cca8cb1fb7ecd86245b46b04918cdb
Rhadamanthys
3cbaa80f0bd0f9bbe90f2f75c960137f0361a790038cf4e30651c6cfccf50340
Rhadamanthys
3d1beeddf32e404cc69ec5a2293b60dc45b147eb7514c718c68b12c68ab13395
Rhadamanthys
433040f5d73d4eec63151e61a65b6aed23578a8dc66360c3d6021b3186fd799b
Rhadamanthys
470ee0d5bd2f72219b279026622cec0ebe3f5c1093bf9d2b2377dda85695968f
Rhadamanthys
cf948755dcc804a8a313bab2cebe0adf0532cace5b8c29a0738b2fed6a2ece50
Rhadamanthys
e01108a2c1db9807c3a7ca8fc19d3a900857c401995d8a00255556a8c895bf37
Rhadamanthys
error
Rhadamanthys
fd2c60745de2be092a0ba2e823434a118ddcaefe8d85eb60e94ea8eec61447b3
Rhadamanthys
+ 50 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250928-p3atvawtbs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e9ed01e1-bff5-4c28-9f29-bad33ac1ae72
Unpacked files
SH256 hash:
501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
MD5 hash:
796a2856b5cfc1fda9d184927e3920eb
SHA1 hash:
b26367c5b3c1fa2f9be3649e4b1e9004a6720430
Link:
https://www.unpac.me/results/116bd384-42a2-41ef-a0d5-1423b948496f/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/116bd384-42a2-41ef-a0d5-1423b948496f/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/116bd384-42a2-41ef-a0d5-1423b948496f/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/501023ffbeb8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae

(this sample)

  
Link
https://tria.ge/250928-phstxswj12/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29325/

Comments