MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b
SHA3-384 hash: 6c5111805d444e776819055933c84268c9d97f3a60be6b70a5761edaaef02ec45c241101f88db38efbee578b2e55b879
SHA1 hash: dc4ff2763449b825c515c2a8d1f62e02535b8079
MD5 hash: 193755899705423ff0026541eff96256
humanhash: speaker-pluto-mockingbird-floor
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'614'732 bytes
First seen:2025-09-05 17:38:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 49152:k6Ai+4mGSuUkHPXXIFLEeJ+JA70QEiHjl:k6AmSuleLEi7xEiH5
TLSH T12628122F13EF120DC704C941B4AA0FE043826D1B29946C279A7EBEA773A7585D42977F
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter aachum
Tags:45-153-34-241 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://zscniegmv.pro/?file=RMqSsl0yILD632PKQcgT1kafudXorZwNv&rca7ASXODWIuU=w6Yq5oV8yDpZd794mJUexIlkj1iRGM3BCrFTN0gabOLQc2z => https://mega.nz/file/D0hyTSYD#SGGOjbz17eZFg-j-NfxqMxfcfUfoOUKHzut5aJkpdk8

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-09-06 02:16:58 UTC
Tags:
autoit lumma stealer
Link:
https://app.any.run/tasks/4f03b148-f15d-48f2-81c4-b16b9977e8f9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68bb20793e988eb6ab83cff4
Tags:
autoit emotet nsis
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Sending a custom TCP request
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68bb205b822d8c77dc643026/reports/78eb57f2-caa6-4b7f-a933-0b9e13d01d03/overview
Verdict:
Malicious
Labled as:
DR/AVI.Agent
Link:
https://www.hybrid-analysis.com/sample/61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-04T20:53:00Z UTC
Last seen:
2025-09-04T20:53:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1772002
Signature
Antivirus / Scanner detection for submitted sample
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1772002 Sample: Setup.exe Startdate: 05/09/2025 Architecture: WINDOWS Score: 96 41 BbuKYCPLRjBTHUflO.BbuKYCPLRjBTHUflO 2->41 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Sigma detected: Search for Antivirus process 2->53 11 Setup.exe 27 2->11         started        signatures3 process4 file5 39 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->39 dropped 14 cmd.exe 1 11->14         started        process6 signatures7 63 Detected CypherIt Packer 14->63 65 Drops PE files with a suspicious file extension 14->65 17 cmd.exe 4 14->17         started        20 conhost.exe 14->20         started        process8 file9 37 C:\Users\user\AppData\Local\...\Yesterday.pif, PE32+ 17->37 dropped 22 Yesterday.pif 17->22         started        25 extrac32.exe 20 17->25         started        27 tasklist.exe 1 17->27         started        29 2 other processes 17->29 process10 signatures11 55 Hijacks the control flow in another process 22->55 57 Modifies the context of a thread in another process (thread injection) 22->57 59 Injects a PE file into a foreign processes 22->59 61 Found direct / indirect Syscall (likely to bypass EDR) 22->61 31 Yesterday.pif 22->31         started        process12 dnsIp13 43 45.153.34.241, 443, 49691 SKYLINKNL Germany 31->43 45 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 31->45 47 Found direct / indirect Syscall (likely to bypass EDR) 31->47 35 WerFault.exe 2 31->35         started        signatures14 process15
Score:
25%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b
Gathering data
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-05 10:29:33 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfcs6j3r6ekgsfdulmzgaic3upxgqkkza5xfmwofpjf4xkclrynq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250905-v8l2ystxd1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/afa0d733-0f57-4ca7-aadb-a8b7deca03c5
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/61452f2771f1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 61452f2771f1146914745b3260205ba3ee682959076e5659c57a4bcba84b8e1b

(this sample)

  
Link
https://tria.ge/250905-vz6d8stwfs/behavioral2
  
Delivery method
Distributed via web download

Comments