MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886
SHA3-384 hash: cd27544ca75905ae177e5cf2dfdcd5e3bc0d12ddacc4e5f1a25a8964dd1e1de2082a603f2c9ad1c59721ed013c7925fa
SHA1 hash: 6a9d68704a90d449f8c3f3874a94a25608a1ee86
MD5 hash: 4a6a432253a0ff0869cdbb5af900390c
humanhash: bulldog-zebra-utah-mobile
File name:TempSpoofer.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:37'376 bytes
First seen:2025-09-23 19:08:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:XmQZqx1lYcJnqnaFFzvbI8+K3omDe0XbOfC11kqP9:X0lYovbI893omCMbO/qP9
Threatray 207 similar samples on MalwareBazaar
TLSH T13AF26B48B798C12FDA5F0E7D64A20661127196620103DB897ECC65EFFFA77408A25FC7
TrID 66.5% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
9.5% (.EXE) Win64 Executable (generic) (10522/11/4)
5.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
4.0% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter tcains1
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TempSpoofer.exe
Verdict:
Malicious activity
Analysis date:
2025-09-23 19:11:17 UTC
Tags:
github anti-evasion stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/f53100cd-c9cb-446e-afde-f9da9d8e8d66

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28694/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d2f0761c026c0646f731b0
Tags:
cobalt spoof
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Сreating synchronization primitives
DNS request
Connection attempt
Sending a custom TCP request
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed ps2exe
Link:
https://www.filescan.io/uploads/68d2f035c24f53840f2f4439/reports/7bf84662-b4dd-4865-b0f4-a70aab6cb8b7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-23T15:51:00Z UTC
Last seen:
2025-09-23T15:51:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.SBEscape.amp PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan.Win32.Crypt.sb VHO:Trojan.Win64.SBEscape.gen Trojan-PSW.Win32.Crypt.nu Trojan.Win64.SBEscape.sb NetTool.PowerShellGet.HTTP.C&C NetTool.PowerShellUA.HTTP.C&C
Link:
https://opentip.kaspersky.com/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/23ce6cda-7dbf-4865-bd86-cf05283cb6ea
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886
Verdict:
Malware
YARA:
12 match(es)
Tags:
.Net DeObfuscated Executable Managed .NET PE (Portable Executable) PE File Layout PowerShell SOS: 0.34 Win 32 Exe x86
Link:
https://app.malva.re/file/4a6a432253a0ff0869cdbb5af900390c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886
Threat name:
ByteCode-MSIL.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-23 19:09:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lim6cchvzuozifs6uez4dt666rtwqryrprbk4iczhis3el72fcda._file
Verdict:
suspicious
Label(s):
admintool_ps2exe
Create hunting rule
Similar samples:
419a94efe1f66bbc2244de83a034883751ae838f4ab7485c5475b6cf7e2e72a2
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
8557f5c30c41bab3c3fe4431ce1757458967f493ec0324a67359ea90defac9f0
Rhadamanthys
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
bd322aca125d095bb81195df86f43772187bc4f5133ff8f78c84c7ee11a9b8d1
Rhadamanthys
c3d9dd9bab61c9f89d63481bb2bb18083dfe6f6a661310ed428b9efa893b65e7
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Rhadamanthys
f8735125bde9396b8aba244bd75f0dc1331a6ba0b5bc4741ac6a83531dd58003
Rhadamanthys
+ 197 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250923-xthgbsvwc1/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Executes dropped EXE
Downloads MZ/PE file
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/50ae1b7e-29a1-4a63-b090-8b04d74e6332
Unpacked files
SH256 hash:
5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886
MD5 hash:
4a6a432253a0ff0869cdbb5af900390c
SHA1 hash:
6a9d68704a90d449f8c3f3874a94a25608a1ee86
Link:
https://www.unpac.me/results/b5a58acb-df59-4690-99e8-0d5e28845b9f/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5a19e108f5cd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.77
Link:
https://yomi.yoroi.company/submissions/5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Detect_Zoom_Invite_malware_RAT_C2
Create hunting rule
Author:daniyyell
Description:Detects Zoom Invite Call Leading to Malware Hosted in Telegram C2
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 5a19e108f5cd1d94165ea133c1cfdef4676847117c42ae20593a25b22ffa2886

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3628358/
Cape
Cape
https://www.capesandbox.com/analysis/28694/
  
URLhaus
https://urlhaus.abuse.ch/url/3630545/
  
URLhaus
https://urlhaus.abuse.ch/url/3628367/

Comments