MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 2 File information Comments

SHA256 hash:	59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d
SHA3-384 hash:	a38fdcea8e32d74123615ba8d870917bee5ed17c0c51cf640a1aeda294f1c59360538484b44d7d00f21a3d2447666ca7
SHA1 hash:	9d5c6a4b20164c6cc97504525a448f9febe746d5
MD5 hash:	ca11377ef09b7e974b2870769a478a9a
humanhash:	may-lamp-floor-johnny
File name:	Cheat-loader.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	9'840'520 bytes
First seen:	2025-07-23 02:46:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	7d746b91e1e57b358f148ed3374f0079 (41 x Rhadamanthys)
ssdeep	196608:7qeW3i/TRY0NXVF2QP1bDxOrQukIRSNZUkehEU1cjKl0U0ViFcf/1vClg2hFCFld:XW3i/qYplDxOsunGZUkeW8/0U0VPAlgJ
Threatray	357 similar samples on MalwareBazaar
TLSH	T10DA6334A199A41F4E6C03930431F6ADF33F156B54D94CC28FEC77D89AA72F62703A992
TrID	28.5% (.EXE) Win64 Executable (generic) (10522/11/4) 17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 13.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 12.2% (.EXE) Win32 Executable (generic) (4504/4/1) 5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika	pebin
Reporter	AntiSkidding
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Cheat-loader.exe

Verdict:

Malicious activity

Analysis date:

2025-07-23 02:47:23 UTC

Tags:

stealer loader auto-sch rhadamanthys shellcode pastebin

Link:

https://app.any.run/tasks/8ffc7378-a6c8-4cce-8246-9eb266b33fa4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/16413/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68804d3c84b37dd61ef0d663

Tags:

philis trojan hello

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

Detecting VM

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

invalid-signature overlay packed signed

Link:

https://www.filescan.io/uploads/68804d418a7d628a81bdfa40/reports/323c538b-fac5-4f45-9b5b-11b2ac1826a8/overview

Verdict:

Malicious

Labled as:

Kelios.Generic

Link:

https://www.hybrid-analysis.com/sample/59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/fdb777c8-ee09-45ee-8424-c8f25d65a137

Score:

91%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 32 Exe x86

Link:

https://app.malva.re/file/ca11377ef09b7e974b2870769a478a9a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d/

Verdict:

Malicious

Threat:

Trojan.Win32.Strab

Link:

https://tip.neiki.dev/file/59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d

Threat name:

Win32.Trojan.Egairtigado

Status:

Malicious

First seen:

2025-07-23 02:47:24 UTC

File Type:

PE (Exe)

AV detection:

17 of 24 (70.83%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=lh5uxvhjeq3ec42fsbfhhyyabjuvqpr524razaugg2uh6y3vs6gq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

369524330c37beed5c946fd7d74e828565c43ffffbbba57c00253308e3d85e13

Rhadamanthys

46c1c74e34fe4a522e8704e21bf59192010e06a7a03c8ba6b0368804b785738a

Rhadamanthys

545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933

Rhadamanthys

8139a31922af1ba39388b3aac3cf3a4c46ef235049347186d9cee83998c03b87

Rhadamanthys

89990966e7fd361dd449c1e8e05ecf8e4c7dcd557d6c354dda2c8b7e8fa6b5d6

Rhadamanthys

98d24d5c3bfee3e88ec04df7195e9465fe4a5b7b268387af9e8673f30608d6ab

Rhadamanthys

ad8ee1e12c4788113097f98503b83d1d7abe4d9e43243f999d40a027caa4f8e9

Rhadamanthys

c02278c06102c8709cdf3bc9772818ad261926827ee85f069def82b2e843653d

Rhadamanthys

error

Rhadamanthys

ff3573ec349f77291b606d9e3f7e252a9103e48e9d390144d5fdd917f18666d9

Rhadamanthys

+ 347 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250723-c92jxstks4/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Deletes itself

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c39a9d1e-35b1-4808-9fff-604fad493443

Unpacked files

SH256 hash:

59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d

MD5 hash:

ca11377ef09b7e974b2870769a478a9a

SHA1 hash:

9d5c6a4b20164c6cc97504525a448f9febe746d5

Link:

https://www.unpac.me/results/abcf011c-9c55-40e7-92bd-99111393e6c6/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/59fb4bd4e92436417345904a73e3000a69583e3dd7220c828636a87f6375978d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/16413/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample