MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f
SHA3-384 hash: cc35822c3a4c104f5fffca93eefbe36ec2bc92211938d347de3b5cbb98c17526ce7a5104e80be2f175cfd68a9e60eb7e
SHA1 hash: 57dd2856a5cb570d115f14fe75e6dea498d176c5
MD5 hash: bb40a0257e8f8000102b7db55e88fb17
humanhash: red-apart-batman-arizona
File name:LuxuryLoader.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:9'791'880 bytes
First seen:2025-08-05 20:27:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e07647ab48d4be367afc7221135c1e04 (12 x Rhadamanthys)
ssdeep 196608:NsP8RW39wI4/uZmMUOCI70LBaFqlyykxURjF:NQoWtnzZmM4q0LB2q0ykmF
Threatray 229 similar samples on MalwareBazaar
TLSH T19CA633D61D9A80F4E9C1147CC62F5ACB33F362E649848C2CE8C869C6D552F72B077DA6
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LuxuryLoader.exe
Verdict:
Malicious activity
Analysis date:
2025-08-05 20:27:04 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/59804ae1-7d3c-4c9b-96cd-46f4deaf0e2c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19079/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689269171e8a59ee04e5f02d
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature overlay packed signed
Link:
https://www.filescan.io/uploads/689269329ef4d2ff7cec8630/reports/7a289c32-f1d0-4e2c-80f1-0cceac6b0dff/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/73dc2c2d-88a4-453f-9f87-90ab6be3c9f9
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750863
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750863 Sample: LuxuryLoader.exe Startdate: 05/08/2025 Architecture: WINDOWS Score: 100 93 x.ns.gin.ntt.net 2->93 95 ts1.aco.net 2->95 97 5 other IPs or domains 2->97 125 Antivirus detection for dropped file 2->125 127 Multi AV Scanner detection for dropped file 2->127 129 Multi AV Scanner detection for submitted file 2->129 131 7 other signatures 2->131 12 LuxuryLoader.exe 2->12         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 155 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->155 157 Found many strings related to Crypto-Wallets (likely being stolen) 12->157 159 Switches to a custom stack to bypass stack traces 12->159 22 OpenWith.exe 12->22         started        161 Changes security center settings (notifications, updates, antivirus, firewall) 15->161 26 conhost.exe 17->26         started        28 schtasks.exe 17->28         started        99 127.0.0.1 unknown unknown 19->99 signatures6 process7 dnsIp8 101 cloudflare-dns.com 104.16.248.249, 443, 49724, 49740 CLOUDFLARENETUS United States 22->101 103 nexus-cloud-360.com 45.141.233.250, 1888, 49726 ASDETUKhttpwwwheficedcomGB Bulgaria 22->103 147 Query firmware table information (likely to detect VMs) 22->147 149 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->149 151 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->151 153 4 other signatures 22->153 30 dllhost.exe 5 22->30         started        signatures9 process10 dnsIp11 111 nexus-cloud-360.com 30->111 113 time-a-g.nist.gov 129.6.15.28, 123, 50317 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 30->113 115 8 other IPs or domains 30->115 89 C:\Users\user\AppData\Local\...\uS}8@t{b.exe, PE32 30->89 dropped 91 C:\Users\user\AppData\Local\...\`8NILQR.exe, PE32+ 30->91 dropped 117 System process connects to network (likely due to code injection or exploit) 30->117 119 Early bird code injection technique detected 30->119 121 Found many strings related to Crypto-Wallets (likely being stolen) 30->121 123 3 other signatures 30->123 35 `8NILQR.exe 9 2 30->35         started        39 uS}8@t{b.exe 30->39         started        41 wmprph.exe 30->41         started        43 2 other processes 30->43 file12 signatures13 process14 file15 85 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 35->85 dropped 133 Multi AV Scanner detection for dropped file 35->133 135 Query firmware table information (likely to detect VMs) 35->135 137 Modifies windows update settings 35->137 145 3 other signatures 35->145 45 cmd.exe 1 35->45         started        48 powershell.exe 35->48         started        50 cmd.exe 35->50         started        63 14 other processes 35->63 87 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 39->87 dropped 139 Antivirus detection for dropped file 39->139 52 cmd.exe 39->52         started        54 cmd.exe 39->54         started        141 Writes to foreign memory regions 41->141 143 Allocates memory in foreign processes 41->143 56 dllhost.exe 41->56         started        59 chrome.exe 43->59         started        61 chrome.exe 43->61         started        signatures16 process17 dnsIp18 163 Uses schtasks.exe or at.exe to add and modify task schedules 45->163 65 net.exe 45->65         started        67 conhost.exe 45->67         started        165 Loading BitLocker PowerShell Module 48->165 69 conhost.exe 48->69         started        71 WmiPrvSE.exe 48->71         started        77 2 other processes 50->77 73 conhost.exe 52->73         started        75 schtasks.exe 52->75         started        79 2 other processes 54->79 105 45.141.233.252, 44133, 49746, 49751 ASDETUKhttpwwwheficedcomGB Bulgaria 56->105 107 googlehosted.l.googleusercontent.com 142.251.40.129, 443, 49737, 49738 GOOGLEUS United States 59->107 109 clients2.googleusercontent.com 59->109 81 14 other processes 63->81 signatures19 process20 process21 83 net1.exe 65->83         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/bb40a0257e8f8000102b7db55e88fb17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2025-08-05 20:27:07 UTC
File Type:
PE (Exe)
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=loujudozkigvvin36sveoffkxpuweex2ecgmchdoserufhyzj5pq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
074e375a6c53828b222987489d5f5ac207df534d5b6e1decf579377bbdec6717
Rhadamanthys
3e299b0743fca7b231c17bc0748a8cef3739654f09bb2d8a0a33e3b2af7249c5
Rhadamanthys
4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961
Rhadamanthys
5d251fd02e2d0e0e9bd67dba8cd808b8f8011faee8bed973fb19254a99fa784a
Rhadamanthys
5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Rhadamanthys
7cf95f58a0394fae9f65ec653b4779dc237a6cc0e88fcb6a477335e1cffd9392
Rhadamanthys
b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Rhadamanthys
c108a671bd78a29b6ddac6013cce91c94627a8e4f4f8f6e84aa7e75be875ae82
Rhadamanthys
dfb7fd652369ad522db2bdfbb1a17017a22c57639329b5067a6bb457738ab324
Rhadamanthys
e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
Rhadamanthys
error
Rhadamanthys
+ 219 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250805-y8ngkayset/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5dca917b-69da-4dce-9122-456ba7fac50e
Unpacked files
SH256 hash:
5ba89a0dd9520d5aa1bbf4aa4714aabbe96212fa208cc11c6e9123429f194f5f
MD5 hash:
bb40a0257e8f8000102b7db55e88fb17
SHA1 hash:
57dd2856a5cb570d115f14fe75e6dea498d176c5
Link:
https://www.unpac.me/results/2601a308-9279-4f3d-904d-36ec81c80573/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5ba89a0dd952/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/19079/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW

Comments