MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 18


Intelligence 18 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
SHA3-384 hash: 14a86f0286a20eab50b96b62abc24df23912af840d5cc747334e85d8dc364f115709f63181563be42f6e3bc1e559f0e2
SHA1 hash: 876451b4fd50832017b54c0f17b0ba50693e6779
MD5 hash: 6a018e446f5af1a8b486ee12552fe4a6
humanhash: paris-failed-eighteen-sierra
File name:6a018e446f5af1a8b486ee12552fe4a6.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:591'872 bytes
First seen:2025-09-19 05:53:24 UTC
Last seen:2025-09-19 08:18:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 96620b4583109e432b518b4c8a70a644 (1 x Rhadamanthys)
ssdeep 12288:QZ1Gm4YdxqaqWhL4bj12lLariDL95Db6s9G+Ws3cEmgXO5VzyewYKU5gj5XfEWYY:Acb52lLariDbb6s9EAcYsVzzwT9j5BYY
Threatray 414 similar samples on MalwareBazaar
TLSH T16BC49D4F50760837D2A816FB847A5345861B60A851D2057FE3D9CDE7CE0E6A3ABF072E
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 04:20:39 UTC
Tags:
loader stealc stealer anti-evasion auto-reg clipper diamotrix rhadamanthys shellcode
Link:
https://app.any.run/tasks/bf1d2f98-8108-42c9-ad61-1deafdb64728

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28239/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ccdd99246a2631bd30ec0f
Tags:
infosteal virus
Result
Verdict:
Malware
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context microsoft_visual_cc
Link:
https://www.filescan.io/uploads/68ccefe2254431b688d487e4/reports/4a9feeec-1e8d-4d3a-9bac-17bb26f4b25a/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-15T18:25:00Z UTC
Last seen:
2025-09-15T18:25:00Z UTC
Hits:
~100
Detections:
VHO:Trojan-PSW.Win32.Crypt.gen Trojan-PSW.Win32.Rhadamanthys.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb HEUR:Trojan.Win32.SBEscape.gen
Link:
https://opentip.kaspersky.com/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c1493693-40bf-4d27-bd89-e2975cffd3af
Result
Threat name:
Clipboard Hijacker, RHADAMANTHYS, Stealc
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780479
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the document folder of the user
Drops PE files to the user root directory
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office process tries to detect installed antivirus files
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: Potentially Suspicious Child Process Of Regsvr32
Sigma detected: Powershell launch regsvr32
Suricata IDS alerts for network traffic
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
Yara detected Clipboard Hijacker
Yara detected RHADAMANTHYS Stealer
Yara detected Stealc v2
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780479 Sample: YHu5agZgoH.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 168 gbg1.ntp.se 2->168 170 x.ns.gin.ntt.net 2->170 172 6 other IPs or domains 2->172 198 Suricata IDS alerts for network traffic 2->198 200 Found malware configuration 2->200 202 Malicious sample detected (through community Yara rule) 2->202 204 11 other signatures 2->204 15 YHu5agZgoH.exe 2->15         started        19 elevation_service.exe 2->19         started        21 elevation_service.exe 2->21         started        23 2 other processes 2->23 signatures3 process4 dnsIp5 192 62.60.226.146, 49718, 49735, 49736 ASLINE-AS-APASLINELIMITEDHK Iran (ISLAMIC Republic Of) 15->192 194 Switches to a custom stack to bypass stack traces 15->194 196 Found direct / indirect Syscall (likely to bypass EDR) 15->196 25 dllhost.exe 7 15->25         started        signatures6 process7 dnsIp8 186 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 25->186 188 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 25->188 190 5 other IPs or domains 25->190 148 C:\Users\user\AppData\Local\...\{yRZN8k.exe, PE32+ 25->148 dropped 150 C:\Users\user\AppData\Local\...\hdr%8RwE9.exe, PE32+ 25->150 dropped 152 C:\Users\user\AppData\...\W%q7C67@}3.exe, PE32 25->152 dropped 154 C:\Users\user\AppData\Local\...\8Az5A-S.exe, PE32+ 25->154 dropped 258 Early bird code injection technique detected 25->258 260 Found many strings related to Crypto-Wallets (likely being stolen) 25->260 262 Tries to harvest and steal browser information (history, passwords, etc) 25->262 264 2 other signatures 25->264 30 8Az5A-S.exe 1 2 25->30         started        34 hdr%8RwE9.exe 25->34         started        36 W%q7C67@}3.exe 25->36         started        38 4 other processes 25->38 file9 signatures10 process11 file12 156 C:\Users\user\AppData\Roaming\...\System.exe, PE32+ 30->156 dropped 268 Multi AV Scanner detection for dropped file 30->268 270 Changes memory attributes in foreign processes to executable or writable 30->270 272 Creates multiple autostart registry keys 30->272 282 6 other signatures 30->282 40 explorer.exe 42 37 30->40 injected 158 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 34->158 dropped 160 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 34->160 dropped 162 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 34->162 dropped 166 47 other malicious files 34->166 dropped 45 hdr%8RwE9.exe 34->45         started        164 C:\Users\user\AppData\...\W%q7C67@}3.tmp, PE32 36->164 dropped 274 Antivirus detection for dropped file 36->274 47 W%q7C67@}3.tmp 36->47         started        276 Suspicious powershell command line found 38->276 278 Found many strings related to Crypto-Wallets (likely being stolen) 38->278 280 Sets debug register (to hijack the execution of another thread) 38->280 284 2 other signatures 38->284 49 {yRZN8k.exe 38->49         started        51 chrome.exe 38->51         started        53 chrome.exe 38->53         started        signatures13 process14 dnsIp15 176 158.94.208.102 JANETJiscServicesLimitedGB United Kingdom 40->176 178 158.94.208.190 JANETJiscServicesLimitedGB United Kingdom 40->178 134 C:\Users\user\AppData\Local\...\FFCF.tmp.exe, PE32+ 40->134 dropped 136 C:\Users\user\AppData\Local\...\3B4D.tmp.exe, PE32 40->136 dropped 138 C:\Users\user\AppData\Local\...\27C1.tmp.exe, PE32 40->138 dropped 146 5 other malicious files 40->146 dropped 242 System process connects to network (likely due to code injection or exploit) 40->242 244 Benign windows process drops PE files 40->244 246 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 40->246 55 1416.tmp.exe 40->55         started        59 FFCF.tmp.exe 40->59         started        61 System.exe 40->61         started        65 3 other processes 40->65 140 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 47->140 dropped 142 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 47->142 dropped 63 W%q7C67@}3.exe 47->63         started        144 C:\ProgramData\ebecabcdbbbdc.exe, PE32+ 49->144 dropped 248 Creates autostart registry keys with suspicious names 49->248 250 Creates multiple autostart registry keys 49->250 252 Injects code into the Windows Explorer (explorer.exe) 49->252 254 4 other signatures 49->254 180 127.0.0.1 unknown unknown 51->180 182 192.168.2.4, 443, 49708, 49718 unknown unknown 51->182 184 2 other IPs or domains 51->184 file16 signatures17 process18 file19 116 C:\Users\user\Videos\Update.exe, PE32 55->116 dropped 118 C:\Users\user\Update.exe, PE32 55->118 dropped 120 C:\Users\user\Searches\Update.exe, PE32 55->120 dropped 130 36 other malicious files 55->130 dropped 222 Multi AV Scanner detection for dropped file 55->222 224 Drops PE files to the document folder of the user 55->224 226 Drops PE files to the user root directory 55->226 67 DfIl2.exe 55->67         started        72 DfIl3.exe 55->72         started        74 DfIl4.exe 55->74         started        76 DfIl1.exe 55->76         started        122 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 59->122 dropped 124 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 59->124 dropped 132 48 other malicious files 59->132 dropped 78 FFCF.tmp.exe 59->78         started        228 Changes memory attributes in foreign processes to executable or writable 61->228 230 Injects code into the Windows Explorer (explorer.exe) 61->230 232 Writes to foreign memory regions 61->232 240 2 other signatures 61->240 126 C:\Users\user\AppData\...\W%q7C67@}3.tmp, PE32 63->126 dropped 80 W%q7C67@}3.tmp 63->80         started        128 C:\Users\user\AppData\Local\...\27C1.tmp.tmp, PE32 65->128 dropped 234 Antivirus detection for dropped file 65->234 236 Modifies the context of a thread in another process (thread injection) 65->236 238 Injects a PE file into a foreign processes 65->238 82 27C1.tmp.tmp 65->82         started        signatures20 process21 dnsIp22 174 176.46.152.46 ESTPAKEE Iran (ISLAMIC Republic Of) 67->174 98 C:\Users\user\AppData\...\gQrl2LnFBQ9N.exe, PE32+ 67->98 dropped 112 7 other malicious files 67->112 dropped 206 Antivirus detection for dropped file 67->206 208 Multi AV Scanner detection for dropped file 67->208 210 Early bird code injection technique detected 67->210 220 4 other signatures 67->220 84 chrome.exe 67->84         started        212 Modifies the context of a thread in another process (thread injection) 72->212 214 Injects a PE file into a foreign processes 72->214 86 DfIl3.exe 72->86         started        100 C:\Users\user\AppData\Local\...\DfIl4.tmp, PE32 74->100 dropped 102 C:\Users\user\is-E0E45.tmp, PE32+ 80->102 dropped 104 C:\Users\user\SteelBlue9.dat (copy), PE32+ 80->104 dropped 106 C:\Users\user\AppData\Roaming\is-BL3H0.tmp, PE32 80->106 dropped 114 3 other malicious files 80->114 dropped 216 Drops PE files to the user root directory 80->216 218 Office process tries to detect installed antivirus files 80->218 88 regsvr32.exe 80->88         started        108 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 82->108 dropped 110 C:\Users\user\AppData\Local\...\_iscrypt.dll, PE32 82->110 dropped file23 signatures24 process25 process26 90 regsvr32.exe 88->90         started        signatures27 256 Suspicious powershell command line found 90->256 93 powershell.exe 90->93         started        process28 signatures29 266 Loading BitLocker PowerShell Module 93->266 96 conhost.exe 93->96         started        process30
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/6a018e446f5af1a8b486ee12552fe4a6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 01:06:27 UTC
File Type:
PE (Exe)
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kxb2h7p6d2eq2bk23z6wxpxlqpyexo6enlvlltm4qvim6z5glhnq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
17d2a24c8707be24ac242e8a71f9ead298997a316b6bf4811222ba03f519fac4
Rhadamanthys
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Rhadamanthys
55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
Rhadamanthys
7e2227110513574b86299b6b0badc693b6a754b2ba5ec206d53dde9100a48352
Rhadamanthys
a65feb6fdb51f253d6f8af64ea78c5913552bdd018ac3e64fd6a80c479ed71d0
Rhadamanthys
a846346e7b52c07ee40c9bfddfc00078b0cb891214ebd34b77dcd3532a38c57c
Rhadamanthys
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Rhadamanthys
ad4af98f97176039523199982c351b8b310f64c6e28d12a927ef17a5d088132d
Rhadamanthys
c6e021a3dec838f4cd9b48abfc2f4944067c422724e524897ca66385903711cb
Rhadamanthys
error
Rhadamanthys
+ 404 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250919-gllwsawvbv/
Behaviour
System Location Discovery: System Language Discovery
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b890478a-a0ed-4126-9672-e1929f4b2143
Unpacked files
SH256 hash:
55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db
MD5 hash:
6a018e446f5af1a8b486ee12552fe4a6
SHA1 hash:
876451b4fd50832017b54c0f17b0ba50693e6779
Link:
https://www.unpac.me/results/95e3f9c4-a9fc-465b-8e7c-aa6392e3268d/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/55c3a3fdfe1e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 55c3a3fdfe1e890d055ade7d6bbeeb83f04bbbc46aeab5cd9c8550cf67a659db

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/28239/
  
URLhaus
https://urlhaus.abuse.ch/url/3626810/
  
Delivery method
Distributed via web download

Comments