MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176
SHA3-384 hash: 850c977b8d2b0d6e6c6a232bcd6ac88dc8cafcd6318d41a6a47cd3dfb38366ac837dc9998e60a1ed9e6d65ac9db5f0ce
SHA1 hash: 3968607ff0d738148f347913e4591ca76e32cd2e
MD5 hash: e9d5a191e64a193148410d6c4001748e
humanhash: iowa-harry-utah-coffee
File name:e9d5a191e64a193148410d6c4001748e.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'023'331 bytes
First seen:2025-07-24 07:25:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b4d0760d426c9138154c52a7dcc4339 (5 x Rhadamanthys, 5 x HijackLoader, 2 x SheetRAT)
ssdeep 196608:3xG4dTVbUoPcYJqJ3XPG+GuXsiPPptm4s0vs9LZsImk0nmi5PTk:rzbxPxO3XOH4xZOs1znmiRg
Threatray 5 similar samples on MalwareBazaar
TLSH T1F3A63369D3F405FDE037A23C9E525912D676BC5A1A21CEAF3318017A6F62BD09E3D702
TrID 92.4% (.EXE) WinRAR Self Extracting archive (4.x-5.x) (265042/9/39)
3.6% (.EXE) Win64 Executable (generic) (10522/11/4)
1.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
0.7% (.EXE) OS/2 Executable (generic) (2029/13)
0.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 9494b494d4aeaeac (832 x DCRat, 172 x RedLineStealer, 134 x CryptOne)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
e9d5a191e64a193148410d6c4001748e.exe
Verdict:
Malicious activity
Analysis date:
2025-07-24 07:26:42 UTC
Tags:
auto generic hijackloader loader auto-startup rhadamanthys shellcode
Link:
https://app.any.run/tasks/0149b412-4ad9-416a-8a21-f4e6ee8eb40a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/16581/
Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6881e01d2f623871a5f2d56a
Tags:
injection dropper emotet virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Sending a custom TCP request
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
action adaptive-context anti-debug anti-vm base64 explorer fingerprint keylogger lolbin microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/6881e0297bc45bdee1b752e0/reports/f447711a-085d-4058-84f7-1dd8caf1a8c7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/db7d44f4-3969-43b2-9795-a01f95d5359a
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1743219
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1743219 Sample: yJ9xth1z32.exe Startdate: 24/07/2025 Architecture: WINDOWS Score: 100 64 cloudflare-dns.com 2->64 66 api.diamomong.top 2->66 78 Found malware configuration 2->78 80 Antivirus detection for dropped file 2->80 82 Antivirus / Scanner detection for submitted sample 2->82 84 5 other signatures 2->84 10 yJ9xth1z32.exe 20 2->10         started        13 FrameSmart.exe 5 2->13         started        signatures3 process4 file5 54 C:\Users\user\AppData\Local\...\tier0.dll, PE32 10->54 dropped 56 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 10->56 dropped 58 C:\Users\user\AppData\...\Qt5Widgets.dll, PE32 10->58 dropped 62 4 other malicious files 10->62 dropped 16 FrameSmart.exe 10 10->16         started        60 C:\Users\user\AppData\Local\...\964EF26.tmp, PE32 13->60 dropped 96 Maps a DLL or memory area into another process 13->96 98 Found direct / indirect Syscall (likely to bypass EDR) 13->98 20 GigaRou.exe 13->20         started        22 XPFix.exe 13->22         started        signatures6 process7 file8 40 C:\ProgramData\cliUninstallgz\tier0.dll, PE32 16->40 dropped 42 C:\ProgramData\...\VCRUNTIME140.dll, PE32 16->42 dropped 44 C:\ProgramData\...\Qt5Widgets.dll, PE32 16->44 dropped 46 4 other malicious files 16->46 dropped 74 Switches to a custom stack to bypass stack traces 16->74 24 FrameSmart.exe 7 16->24         started        76 Found direct / indirect Syscall (likely to bypass EDR) 20->76 28 OpenWith.exe 20->28         started        signatures9 process10 dnsIp11 48 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 24->48 dropped 50 C:\Users\user\AppData\Local\...\708F7E6.tmp, PE32 24->50 dropped 52 C:\ProgramDatabehaviorgraphigaRou.exe, PE32 24->52 dropped 88 Found hidden mapped module (file has been removed from disk) 24->88 90 Maps a DLL or memory area into another process 24->90 92 Switches to a custom stack to bypass stack traces 24->92 94 Found direct / indirect Syscall (likely to bypass EDR) 24->94 31 GigaRou.exe 24->31         started        34 XPFix.exe 2 24->34         started        72 api.diamomong.top 28->72 file12 signatures13 process14 signatures15 100 Multi AV Scanner detection for dropped file 31->100 102 Switches to a custom stack to bypass stack traces 31->102 104 Found direct / indirect Syscall (likely to bypass EDR) 31->104 36 OpenWith.exe 31->36         started        process16 dnsIp17 68 cloudflare-dns.com 104.16.248.249, 443, 49695, 49696 CLOUDFLARENETUS United States 36->68 70 api.diamomong.top 36->70 86 Switches to a custom stack to bypass stack traces 36->86 signatures18
Score:
91%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/e9d5a191e64a193148410d6c4001748e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176/
Verdict:
Malicious
Threat:
Trojan.Win32.Penguish
Link:
https://tip.neiki.dev/file/5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176
Threat name:
Win64.Trojan.Hijackloader
Create hunting rule
Status:
Malicious
First seen:
2025-07-17 18:57:12 UTC
File Type:
PE+ (Exe)
Extracted files:
59
AV detection:
15 of 23 (65.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2f32xm4ehtqshhpvhop4rvizquqsd4dwqg7cdjbqcmolzylmf3a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
Rhadamanthys
206fd7bb47d7556815074b3f0606055712e23fef8b4ff393c9e0d8ded8e9c140
Rhadamanthys
2449fe334bbf8f09ff80422578a6c6961d20a0a456b214f6490c5ed1ae859c9e
Rhadamanthys
error
Rhadamanthys
f4d1b970bc9e5d319c5432be9e3863b5a20bf26e557c8cea6f3949df0012cf01
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250724-h9pg9ahj2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4a9a0b3d-557d-4391-97bb-787f2a83a5b7
Unpacked files
SH256 hash:
5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176
MD5 hash:
e9d5a191e64a193148410d6c4001748e
SHA1 hash:
3968607ff0d738148f347913e4591ca76e32cd2e
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
19951231afbb50bdad66830781f6192926b06f9a09a379abfbca1c1e7e836eab
MD5 hash:
47a9502fb4d4cb7dd4495cf39818a8fb
SHA1 hash:
006ca93f6d4dfdff02e3dc57a58ee5cd6af82720
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
206fd7bb47d7556815074b3f0606055712e23fef8b4ff393c9e0d8ded8e9c140
MD5 hash:
71efc3a554ac91dc24e530e8d530bdff
SHA1 hash:
3c7c11c822dccfee0654d73985260c0c9c5f7bdf
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
350a5f5fb8d76e5088317966694b44aef6d3f3387dc572527f0f412891215e04
MD5 hash:
e1fc955b7309ad1ddce0b4a6564a7a44
SHA1 hash:
53fb307e873a6be6ead4bf2e00a981ac973c0b8c
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
4be72d127ac97fa332a9d14dee916e1a198dacd1fcce688ec81155dc72e4f3e2
MD5 hash:
00b2a30beece16c28bdf2b97b06acf1e
SHA1 hash:
777497d062f2efeebadafca5d075dd80aa022074
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
9e9b340bba6d47fb15cde3b9d0568c6d296e3299eca0dfcd2bf000637b36fe13
MD5 hash:
3a207bdfaa989abab1cf5f7e86555b87
SHA1 hash:
b5df7c111591c9cf719260fcf0769322927f23f8
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
b48dc53977477f13ca80e7aa002d23a127b53515c0a45fe82c2a87f35450d1d0
MD5 hash:
30f437cc4598570e7cc661f8131daf2e
SHA1 hash:
1549c04d7babf58b71a243ce5e7ec308494ca818
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
SH256 hash:
e3e0cd84ff82900e34273bf9f5163533d67c8b977adad263a9e1f5ad30a1d4c9
MD5 hash:
3c444b7e23b1b808524f0019057b3e61
SHA1 hash:
c005c36d93f6aad4e56f59ef842d56ca48439f3b
Link:
https://www.unpac.me/results/047e10d2-15ac-4e16-8e01-75d8172eaf78/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e8bbd5d9c21e7091cefa9dcfe46a8cc29090f83b40df10d218098e5e70b6176

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/16581/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (FORCE_INTEGRITY)high
Reviews
IDCapabilitiesEvidence
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipAlloc
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AllocConsole
KERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
KERNEL32.dll::GetSystemDirectoryW

Comments