MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b
SHA3-384 hash: 4d98d871917890505e170eb784aa5bba6444a97361ae574f2a70402a44f6eccc909c42e13996c2e166ef07437dd3413c
SHA1 hash: 692f3749ee86c3d8e86fa01ef825c5481ef787f6
MD5 hash: f6aef42f378de27b578513c4abc2be14
humanhash: speaker-uncle-wolfram-aspen
File name:1.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:16'738 bytes
First seen:2025-09-28 13:12:54 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 384:JXNGJbj01cLgoGjYehcgkGEqCvMOlBvit6IamnhA5j/:3GJbj0aw/EqOB5L5j/
Threatray 471 similar samples on MalwareBazaar
TLSH T18F72E1127334456A0E4FC6FBE83275DFF1AB8932853208D1B492BA6027CAFD02076E85
Magika powershell
Reporter aachum
Tags:185-141-216-74 202-71-14-181 ClickFix FakeCaptcha ps1 Rhadamanthys


Avatar
iamaachum
https://google-security-bypass.pages.dev/ => http://185.141.216.74/1.txt

Intelligence

File Origin
# of uploads :
1
# of downloads :
289
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Script.SNH-gen.64852723.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d9347773afd01b31e0eb0f
Tags:
trojan agent shell
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
explorer golang lolbin obfuscated
Link:
https://www.filescan.io/uploads/68d93475674d5fd6aa0eef10/reports/f8a04913-912a-47ad-b4bd-a83f5f559eca/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-28T10:21:00Z UTC
Last seen:
2025-09-28T10:21:00Z UTC
Hits:
~10
Detections:
Trojan-Downloader.PowerShell.Agent.sb Trojan-Downloader.Agent.HTTP.C&C Trojan.Win64.SBEscape.sb Trojan.Win32.Crypt.sb PDM:Trojan.Win32.Generic Trojan.Win64.SBEscape.app NetTool.PowerShellUA.HTTP.C&C NetTool.PowerShellGet.HTTP.C&C
Link:
https://opentip.kaspersky.com/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1785498
Signature
AI detected malicious Powershell script
Antivirus detection for URL or domain
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Drops PE files to the user root directory
Loading BitLocker PowerShell Module
Potentially malicious time measurement code found
Powershell drops PE file
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1785498 Sample: 1.ps1 Startdate: 28/09/2025 Architecture: WINDOWS Score: 80 33 Antivirus detection for URL or domain 2->33 35 Yara detected RHADAMANTHYS Stealer 2->35 37 AI detected malicious Powershell script 2->37 8 powershell.exe 15 28 2->8         started        13 explorer.exe 2->13         started        process3 dnsIp4 31 185.141.216.74, 49690, 80 GSWIFTTR Turkey 8->31 27 C:\Users\user\Octavian.exe, PE32+ 8->27 dropped 43 Drops PE files to the user root directory 8->43 45 Loading BitLocker PowerShell Module 8->45 47 Powershell drops PE file 8->47 15 explorer.exe 1 8->15         started        17 conhost.exe 8->17         started        19 Octavian.exe 13->19         started        file5 signatures6 process7 signatures8 39 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 19->39 41 Potentially malicious time measurement code found 19->41 22 OpenWith.exe 19->22         started        process9 dnsIp10 29 202.71.14.181, 443, 49692 RKINFRATEL-INRKINFRATELLIMITEDIN India 22->29 25 WerFault.exe 4 22->25         started        process11
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b
Verdict:
Malware
YARA:
1 match(es)
Tags:
Base64 Block Contains Base64 Block DeObfuscated PowerShell
Link:
https://app.malva.re/file/f6aef42f378de27b578513c4abc2be14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b
Threat name:
Script-PowerShell.Trojan.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-09-28 13:13:27 UTC
File Type:
Text
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=krr4kcatyhbdxddtc5jb7igyhbrzsmva6e57lluj4ae7g4j65m5q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
096249c0a08df8abc0d198b29f09e30152fb57acfd7125e7cf8524b9221919da
Rhadamanthys
1d5227118354b0c6d70089730cf121de3ba51e0d9c9c478189559b9e93a890ac
Rhadamanthys
1fc8d0798605394a2a0dbc39c80bf5221483668c22faf6782e5254cbbd90a1d3
Rhadamanthys
41b402ff6d432fcff5fb710bfb271bdf8d7838eaad5d7f35aac354036b40f18b
Rhadamanthys
629c324c37ac630713373e8f4573c5e0992e0a38f9b1e0b2fc6e6f7135ece39c
Rhadamanthys
7610fe95df2a433e8d52377e8301642dacb2e66b19d695f568a6b745d68fd3c5
Rhadamanthys
984f14e5ffd9a1a2c5f6c1015b8b42cf2eab941e1bcccb2b176736b7ac8bebbb
Rhadamanthys
a15942e0603b1c3af6b4770d953d5e328494e3ffbdca5bad85039a0d0c33bf89
Rhadamanthys
d99f5dd0397a316ee7d28af1e8f5e5c558cacf00d3d21b10ef8135c94c9e3034
Rhadamanthys
dc741d4bbde8bd12093efd37aac1d9aeb09242ebbfc745b2f44db2a47f3bca21
Rhadamanthys
error
Rhadamanthys
+ 461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/250928-qf96vswns7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Badlisted process makes network request
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

PowerShell (PS) ps1 5463c50813c1c23b8c7317521fa0d838639932a0f13bf5ae89e009f3713eeb3b

(this sample)

Rhadamanthys

Executable exe 9cc19abdfeed23bfda8ac18cea467746dc6e231ff041512bc92fd9846d9c3751

  
Link
https://tria.ge/250928-qdbkhsfr4t/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 9cc19abdfeed23bfda8ac18cea467746dc6e231ff041512bc92fd9846d9c3751
  
Dropping
MD5 26f48e8f08f8115128e90c8560ec6fe5
  
URLhaus
https://urlhaus.abuse.ch/url/3633836/

Comments