MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754
SHA3-384 hash: 6067033bc2b54b5993ae9655015c5a483fac0da7e9a0f73dfe3c77c8db5d61bfc72f29fc84e1b1c55751dc2a659a9b2f
SHA1 hash: f5da109aa9523362fa9e56483e2c293f42002d77
MD5 hash: 26da617f56d9fbb706f85bf5b3f20cc6
humanhash: louisiana-low-hot-william
File name:Setup__en.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'633'949 bytes
First seen:2025-09-22 18:06:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 49152:jXetB1OIORPN5sp08iNycNaa174Dx5HaLZZhzizp/VEIA:retB1OVRlPYa17Ax5HaNizp/VEIA
TLSH T16B28237DB21C1201E3D3156737114E86FD387993B23AA6CA512FA99931E3C5293BB723
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:178-17-57-65 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://n14rr140825e7.cfd/mnllcontent-e317f442878ac916ebc3643fcf9df9a8/dlc_68d18ba353921/?s=294&pg=0&q=Download => https://mega.nz/file/ONtA3aJA#bmb1nPJQF0o7d_2PMU76pneQSlUPz9vMjrHJCSqQf8Q

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup__en.exe
Verdict:
Malicious activity
Analysis date:
2025-09-22 18:42:45 UTC
Tags:
autoit anti-evasion rhadamanthys stealer
Link:
https://app.any.run/tasks/d81cc103-df6a-4333-9804-943c70712cd5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d1905a72187e372c387c80
Tags:
autoit emotet cobalt spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
Sending a custom TCP request
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc nsis overlay signed
Link:
https://www.filescan.io/uploads/68d1902f254431b688d9a253/reports/d86c217a-cdc5-47e5-8074-10360e488bfb/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-22T08:21:00Z UTC
Last seen:
2025-09-22T08:21:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1782198
Signature
Detected potential unwanted application
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1782198 Sample: Setup__en.exe Startdate: 22/09/2025 Architecture: WINDOWS Score: 100 81 twc.trafficmanager.net 2->81 83 ts1.aco.net 2->83 85 8 other IPs or domains 2->85 107 Multi AV Scanner detection for submitted file 2->107 109 Yara detected RHADAMANTHYS Stealer 2->109 111 Sigma detected: Search for Antivirus process 2->111 113 2 other signatures 2->113 12 Setup__en.exe 31 2->12         started        15 msedge.exe 2->15         started        19 elevation_service.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->73 dropped 23 cmd.exe 1 12->23         started        101 192.168.2.6, 123, 138, 443 unknown unknown 15->101 103 239.255.255.250 unknown Reserved 15->103 105 Maps a DLL or memory area into another process 15->105 26 msedge.exe 15->26         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 3 other processes 15->33 file6 signatures7 process8 dnsIp9 123 Drops PE files with a suspicious file extension 23->123 35 cmd.exe 4 23->35         started        38 conhost.exe 23->38         started        95 13.107.246.70, 443, 49722, 49725 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->95 97 s-part-0042.t-0009.fb-t-msedge.net 13.107.253.70, 443, 49709, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->97 99 11 other IPs or domains 26->99 signatures10 process11 file12 71 C:\Users\user\AppData\Local\...\Targeted.scr, PE32 35->71 dropped 40 Targeted.scr 35->40         started        44 extrac32.exe 22 35->44         started        46 tasklist.exe 1 35->46         started        48 2 other processes 35->48 process13 dnsIp14 93 178.17.57.65, 49691, 49732, 49734 FOURD-ASGB Germany 40->93 125 Found many strings related to Crypto-Wallets (likely being stolen) 40->125 127 Switches to a custom stack to bypass stack traces 40->127 129 Found direct / indirect Syscall (likely to bypass EDR) 40->129 50 dllhost.exe 6 40->50         started        54 WerFault.exe 2 40->54         started        signatures15 process16 dnsIp17 87 time-a-g.nist.gov 129.6.15.28, 123, 63773 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 50->87 89 ntp1.net.berkeley.edu 169.229.128.134, 123, 63773 UCBUS United States 50->89 91 5 other IPs or domains 50->91 115 Early bird code injection technique detected 50->115 117 Found many strings related to Crypto-Wallets (likely being stolen) 50->117 119 Tries to harvest and steal browser information (history, passwords, etc) 50->119 121 2 other signatures 50->121 56 chrome.exe 50->56         started        58 msedge.exe 50->58         started        60 chrome.exe 50->60         started        62 wmplayer.exe 50->62         started        signatures18 process19 process20 64 chrome.exe 56->64         started        67 chrome.exe 56->67         started        69 msedge.exe 58->69         started        dnsIp21 75 googlehosted.l.googleusercontent.com 142.250.69.161, 443, 49703, 49705 GOOGLEUS United States 64->75 77 127.0.0.1 unknown unknown 64->77 79 clients2.googleusercontent.com 64->79
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754
Gathering data
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-22 15:32:50 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ls5pqhibu2zwvugvxdjjgrzx6knvqrmavv2upr2e2my5g2alw5ka._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250922-wp3e9sgn5t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f30994b4-5863-49d4-9878-c3427d9bf797
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5cbaf81d01a6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 5cbaf81d01a6b36ad0d5b8d2934737f29b584580ad7547c744d331d3680bb754

(this sample)

  
Link
https://tria.ge/250922-wgk61sgm5y/behavioral2
  
Delivery method
Distributed via web download

Comments