MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 18


Intelligence 18 IOCs YARA 23 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
SHA3-384 hash: dfb63af29bd0381dd616c8ec006f0f552706ef7b4d22dc1453a88462f4eaf82d9f96d1f4db27414c824812d6511cb98a
SHA1 hash: 02221f66ff1dd00a256edbb8c0641b69be8580ff
MD5 hash: df12fc4a75d3be8a6ed898d7d38a8174
humanhash: gee-whiskey-island-wisconsin
File name:hack loader.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:12'284'713 bytes
First seen:2025-09-11 13:22:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep 98304:6JCe0hK3jlrqm/hrT8ym16ijkeqlGpALD3awzvCB7Nyp6RbJLDYXOnlID:e0E3pxFTTmYicGoj47NA69JLDYXKlID
Threatray 329 similar samples on MalwareBazaar
TLSH T184C6AD12E2FD01E8E5BBC178C567551BE7B27855132097EF52A08A692F23FE06E3D321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe Loader

Intelligence

File Origin
# of uploads :
1
# of downloads :
186
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
hack loader.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 13:19:18 UTC
Tags:
loader anti-evasion stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/90ff0fe9-7c2a-4802-b3bb-5f31c171267f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26916/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2cd146e66ba602d7a6a3b
Tags:
shellcode dropper spoof virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a window
Connection attempt
Sending an HTTP GET request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Launching a process
Launching a file downloaded from the Internet
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug dotnet fingerprint lolbin microsoft_visual_cc obfuscated overlay threat
Link:
https://www.filescan.io/uploads/68c2cd150d1238ff0aaa1b77/reports/1f757667-08db-460e-86d2-b7056bda81b1/overview
Verdict:
Malicious
Labled as:
Trojan.Agent
Link:
https://www.hybrid-analysis.com/sample/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-11T10:57:00Z UTC
Last seen:
2025-09-11T10:57:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.SBEscape.sb Trojan.Win64.Agentb.sb Trojan.Win32.Strab.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.xcacwh Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc/results?tab=lookup
Malware family:
Khalesi
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b2458d0d-8aee-442c-b21b-fe15c9165a3f
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775623
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775623 Sample: hack loader.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 4 other signatures 2->71 8 hack loader.exe 5 2->8         started        11 DataSyncHost.exe 1 2->11         started        13 DataSyncHost.exe 1 2->13         started        process3 file4 43 C:\Users\user\AppData\Local\...\z20flqkc.exe, PE32+ 8->43 dropped 45 C:\Users\user\AppData\Local\...\azhqg485.exe, PE32 8->45 dropped 15 azhqg485.exe 16 8->15         started        19 z20flqkc.exe 15 8->19         started        22 svchost.exe 1 1 8->22         started        24 conhost.exe 8->24         started        26 conhost.exe 11->26         started        28 conhost.exe 13->28         started        process5 dnsIp6 49 62.60.158.10 IROST-ASIR Iran (ISLAMIC Republic Of) 15->49 55 Antivirus detection for dropped file 15->55 57 Found stalling execution ending in API Sleep call 15->57 59 Found API chain indicative of sandbox detection 15->59 63 3 other signatures 15->63 51 176.46.152.62, 49692, 49693, 5858 ESTPAKEE Iran (ISLAMIC Republic Of) 19->51 39 C:\Users\user\AppData\Local\...\nbgtpasrg.exe, PE32+ 19->39 dropped 41 dda45bc6697f47ef98...f1bc37_miner[1].exe, PE32+ 19->41 dropped 61 Found API chain indicative of debugger detection 19->61 30 nbgtpasrg.exe 1 3 19->30         started        53 127.0.0.1 unknown unknown 22->53 file7 signatures8 process9 file10 47 C:\Users\user\AppData\...\DataSyncHost.exe, PE32+ 30->47 dropped 75 Multi AV Scanner detection for dropped file 30->75 34 DataSyncHost.exe 1 30->34         started        37 conhost.exe 30->37         started        signatures11 process12 signatures13 73 Multi AV Scanner detection for dropped file 34->73
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/df12fc4a75d3be8a6ed898d7d38a8174
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-09-11 13:22:27 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l2laqas6eu55bk2in4ccrvy5tgh3kpv2kdcmvb7xbqzvddmwy26a._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Rhadamanthys
556d8ed53e1015b4d40383198e5a787e022fa26dc132820fc053e55ec28317b7
Rhadamanthys
5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
Rhadamanthys
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Rhadamanthys
c9b7aa7a67392dd4537f636d4791e75984d3862280c301c9ca0f91424f64972c
Rhadamanthys
error
Rhadamanthys
+ 319 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250911-qm315azlz8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects DonutLoader
Detects Rhadamanthys Payload
DonutLoader
Donutloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a467a989-22ca-4c3c-95ae-7ff125629b59
Unpacked files
SH256 hash:
5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
MD5 hash:
df12fc4a75d3be8a6ed898d7d38a8174
SHA1 hash:
02221f66ff1dd00a256edbb8c0641b69be8580ff
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
4f56c74032b71f5e523667f0cad97de31aefb53fd1b7f4c886a7a99fe2407a30
MD5 hash:
712ce730f96f8d5b1e5d8b4b41eca6aa
SHA1 hash:
37cf3a2307d7d84b70528ca71005fc04fb56bdd2
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
b910006cea197f661c19638e3b2c8cc6033e13cb87c91e6fd7e4b59b9e3ab335
MD5 hash:
71867d25f47d64416c00b201aa34961a
SHA1 hash:
2b837fc662c757c9b91a9fb8893498b08414ce1c
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
c05d685863850917187b7282aa9739b23d5b967cac411c1fbe122b13a24ce5fa
MD5 hash:
ba95de25f100739f3b28e0b80165e643
SHA1 hash:
e8b992ad23e4fac1698a530d835fd086a80cf238
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
dbf76f83663bea67be8efa9230b27718a2a6fc98e369d82b65c8aeb7b10e7bf3
MD5 hash:
fa1736a8a9db5dc30a9b93b5d6b3c217
SHA1 hash:
92325940e37ce4f411a93498df0dc3ae380a040a
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
b785b5c9614deb53d722be38cfa949d5b0bc360d105c4d53a1be4f648324892c
MD5 hash:
c683830ecc56a96cf9047f4ea19904e1
SHA1 hash:
8f57bb573a537bc29bf6387474c57252b965dbeb
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
33c75708915a4da1096034f04b5531a5985ce1188a73d3b98135ba1804c217a9
MD5 hash:
abedfa6a0db84fec68715015f7f6475b
SHA1 hash:
1671484c3714d37212760b4cd0ff43a8bd5fc344
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
c9e2f9f04aded97ac6902991397dd78f17b651d08dc5f29d8e889dbd5c02746c
MD5 hash:
85702891b04babe57938cd3b7b4633f2
SHA1 hash:
714cca53fc171a812fc45813057ad7753d2cc678
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
SH256 hash:
37bead9a87d704618ad1f507d833d311a914afd166fa7db526a5d3885f6f8ad4
MD5 hash:
c5b656dec98ffc25c33ebd44773ecdea
SHA1 hash:
bf1783dec6d0aae1c2c9a73e5aa3596fd0c4e942
Link:
https://www.unpac.me/results/990f4604-0206-43dc-bcca-620db1a9f9f0/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e9608025e25/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ducktail
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ducktail malware samples.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Rhadamanthys

Executable exe 5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc

(this sample)

Rhadamanthys

Executable exe c9b7aa7a67392dd4537f636d4791e75984d3862280c301c9ca0f91424f64972c

  
Dropping
SHA256 c9b7aa7a67392dd4537f636d4791e75984d3862280c301c9ca0f91424f64972c
Cape
Cape
https://www.capesandbox.com/analysis/26916/
  
Dropping
MD5 f9c1a29bf51b1c78cf265f866b4780d1

Comments