MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
SHA3-384 hash: 7f1b6aec472c78451d48b65afdcbce646d477f6c14926bdcd8bb839b507c696d840524c52223f743b1ae0b91fe5367f0
SHA1 hash: 12d3b8f70f42c4c46f5c567de1db7a186922c69a
MD5 hash: 98f846d3ba26ed0a700393d122dee3d0
humanhash: gee-floor-thirteen-march
File name:libbrotlicommon.dll
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'184'128 bytes
First seen:2025-08-09 02:49:03 UTC
Last seen:2025-08-09 02:49:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9587a189d94ef6e90f97fa73ab031264 (1 x Rhadamanthys, 1 x Formbook)
ssdeep 49152:7x77U1r+cGBkrsAzedSVpuNrV6tMdYJ4oI6EzGfpzjdqIu7cQ1bQofOMh/ke5:7EGpF6EAjdqI8Qo1h/k
Threatray 165 similar samples on MalwareBazaar
TLSH T1C0E5CE11E3A800A6D83BD734CA699333D6B078575331E54F0A99D6062F73EA29B7F712
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:178-22-24-47 dll Rhadamanthys


Avatar
iamaachum
https://github.com/Aimbot-COD-Warzone/Aimbot-for-COD-warzone?tab=readme-ov-file => https://trahendon.github.io/.github/index.html

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
libbrotlicommon.dll
Verdict:
Malicious activity
Analysis date:
2025-08-09 02:45:33 UTC
Tags:
lumma rhadamanthys shellcode
Link:
https://app.any.run/tasks/97451e0a-c4ef-4d26-a7e9-40e865330968

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19821/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6896b64b1e8a59ee04e7c73a
Tags:
malware
Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint masquerade microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/6896b741397fd3ce6fa2e901/reports/8921b7bc-a5c0-488a-9053-09113f961111/overview
Verdict:
Malicious
Labled as:
W64/Agent.KHK.gen
Link:
https://www.hybrid-analysis.com/sample/5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/dfdb8818-0183-4ab1-a756-ceda2390f5c3
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
evad.troj
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1753520
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753520 Sample: libbrotlicommon.dll.dll Startdate: 09/08/2025 Architecture: WINDOWS Score: 84 54 x.ns.gin.ntt.net 2->54 56 twc.trafficmanager.net 2->56 58 10 other IPs or domains 2->58 62 Suricata IDS alerts for network traffic 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected RHADAMANTHYS Stealer 2->66 10 loaddll64.exe 1 2->10         started        signatures3 process4 process5 12 cmd.exe 1 10->12         started        14 rundll32.exe 10->14         started        17 rundll32.exe 10->17         started        19 10 other processes 10->19 signatures6 21 rundll32.exe 12->21         started        78 Writes to foreign memory regions 14->78 80 Allocates memory in foreign processes 14->80 82 Injects a PE file into a foreign processes 14->82 24 csc.exe 14->24         started        27 aspnet_wp.exe 14->27         started        29 aspnet_wp.exe 14->29         started        37 3 other processes 14->37 31 csc.exe 17->31         started        33 aspnet_wp.exe 17->33         started        35 aspnet_wp.exe 17->35         started        39 3 other processes 17->39 process7 dnsIp8 68 Writes to foreign memory regions 21->68 70 Allocates memory in foreign processes 21->70 72 Injects a PE file into a foreign processes 21->72 41 csc.exe 21->41         started        44 aspnet_wp.exe 21->44         started        46 aspnet_wp.exe 21->46         started        50 3 other processes 21->50 60 178.22.24.47, 1321, 49718, 49735 CLEVERNETWORK-ASNFR Switzerland 24->60 74 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->74 48 WerFault.exe 2 31->48         started        signatures9 process10 signatures11 76 Switches to a custom stack to bypass stack traces 41->76 52 WerFault.exe 2 41->52         started        process12
Score:
99%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/98f846d3ba26ed0a700393d122dee3d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-08-09 02:45:33 UTC
File Type:
PE+ (Dll)
AV detection:
11 of 24 (45.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=l3xsfjx7uijss7ewiks5o6tutvz3qtrheoz7yehhbuc5u32qplzq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
33afc2363bcb30909c61249f68bb14c6fe871f981ca4a3db6866e128beef41d6
Rhadamanthys
342d0b95378fd519e1f64ec6d9fa2e2386c12d1a6e937e5b02ccdccc1999657c
Rhadamanthys
3b89366534bcd84ff61e9e55c0d995a4a9b8a7d94bad3f6fff96c0c7566d7648
Rhadamanthys
57d596b29d6fc2c917503116419917c74d504be7733b31ac4637b6792e8abf72
Rhadamanthys
9de2d029ed9820365edfee67a095513aef305825f665e0acc0dbc56081252c9c
Rhadamanthys
abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
Rhadamanthys
b2d37a411be06457caf2304ba93bc85e447082acbbc8c82f6d171e7911045751
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
e439378ca0ca70865ce01d9e795927bd542ee929db1671509555c4fc82c3e65d
Rhadamanthys
error
Rhadamanthys
fc848da9585e55a24b15d7f5a5e34d13e4cb12ef52993665eb10eaa1eaf4a7ef
Rhadamanthys
+ 155 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys stealer
Link:
https://tria.ge/reports/250809-dba5rafq7y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/19666607-487f-402e-bca4-1e416710a533
Unpacked files
SH256 hash:
5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3
MD5 hash:
98f846d3ba26ed0a700393d122dee3d0
SHA1 hash:
12d3b8f70f42c4c46f5c567de1db7a186922c69a
Link:
https://www.unpac.me/results/6a4274cd-c4b1-4f06-8d44-6ae630aa5b97/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5eef22a6ffa2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 5eef22a6ffa213297c9642a5d77a749d73b84e2723b3fc10e70d05da6f507af3

(this sample)

  
Link
https://tria.ge/250809-c5zjrsfq5s/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19821/

Comments