MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68
SHA3-384 hash: 7d98201c022985a874f6fe4c18d350fac36171e2bfe476a31ec1cf92df6ade3da021a3c53d6527026be90fa1900d56e8
SHA1 hash: f220bba7e3f9f0db4ba441691df7d4482ab7c74d
MD5 hash: 39b93cf4481b121cf55a6e3cdf5b25ef
humanhash: ten-purple-stairway-zulu
File name:Windows Client x64.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:9'972'104 bytes
First seen:2025-07-16 17:15:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d746b91e1e57b358f148ed3374f0079 (41 x Rhadamanthys)
ssdeep 196608:C96zLRvnS3MgOWBbuGwMUk8Y3CJPHwPGz2vh3b6JJ:C96nRvS3MgOquPNb7dHt2Mz
Threatray 181 similar samples on MalwareBazaar
TLSH T1EAA6334F25CD60F9EAC52C30861F6AC737F6A5B50D418838AEC19DCAE993F71A077891
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WindowsClientx64.exe
Verdict:
Malicious activity
Analysis date:
2025-07-16 17:09:21 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/96fb6c47-14c1-42bc-ad09-055f5f3823fe

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14884/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6877de712f623871a5ef1474
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/6877de6c8a7d628a81b2b31e/reports/6d804891-8ec5-4ea1-8a15-6da16b59b6d1/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4a34bab5-7b75-4e91-84de-5f1ad8a3f377
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1738225
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1738225 Sample: Windows Client x64.exe Startdate: 16/07/2025 Architecture: WINDOWS Score: 100 93 x.ns.gin.ntt.net 2->93 95 ts1.aco.net 2->95 97 7 other IPs or domains 2->97 129 Suricata IDS alerts for network traffic 2->129 131 Antivirus detection for dropped file 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 11 other signatures 2->135 12 Windows Client x64.exe 2->12         started        15 msedge.exe 103 366 2->15         started        18 elevation_service.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 165 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->165 22 OpenWith.exe 12->22         started        125 239.255.255.250 unknown Reserved 15->125 167 Maps a DLL or memory area into another process 15->167 26 msedge.exe 15->26         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        32 3 other processes 15->32 signatures6 process7 dnsIp8 105 185.232.205.30, 49696, 49724, 49731 SOLTIAES Spain 22->105 107 cloudflare-dns.com 104.16.249.249, 443, 49695 CLOUDFLARENETUS United States 22->107 109 vault-360-nexus.com 22->109 145 Query firmware table information (likely to detect VMs) 22->145 147 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->147 149 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->149 151 4 other signatures 22->151 34 OpenWith.exe 8 22->34         started        111 192.168.2.6, 4233, 443, 49682 unknown unknown 26->111 113 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49715, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->113 115 9 other IPs or domains 26->115 signatures9 process10 dnsIp11 99 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 34->99 101 x.ns.gin.ntt.net 129.250.35.250 NTT-COMMUNICATIONS-2914US United States 34->101 103 6 other IPs or domains 34->103 87 C:\Users\user\AppData\Local\...\_@E.exe, PE32+ 34->87 dropped 89 C:\Users\user\AppData\Local\...\0Gz8z2(O.exe, PE32 34->89 dropped 137 Early bird code injection technique detected 34->137 139 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 34->139 141 Tries to steal Mail credentials (via file / registry access) 34->141 143 7 other signatures 34->143 39 _@E.exe 34->39         started        43 wmpnscfg.exe 34->43         started        45 chrome.exe 1 34->45         started        47 3 other processes 34->47 file12 signatures13 process14 file15 91 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 39->91 dropped 153 Query firmware table information (likely to detect VMs) 39->153 155 Modifies windows update settings 39->155 157 Adds a directory exclusion to Windows Defender 39->157 163 2 other signatures 39->163 49 powershell.exe 39->49         started        52 cmd.exe 39->52         started        54 sc.exe 39->54         started        65 13 other processes 39->65 159 Writes to foreign memory regions 43->159 161 Allocates memory in foreign processes 43->161 56 dllhost.exe 43->56         started        59 chrome.exe 45->59         started        61 chrome.exe 45->61         started        63 msedge.exe 47->63         started        signatures16 process17 dnsIp18 127 Loading BitLocker PowerShell Module 49->127 67 conhost.exe 49->67         started        69 WmiPrvSE.exe 49->69         started        71 net.exe 52->71         started        73 conhost.exe 52->73         started        75 conhost.exe 54->75         started        117 213.209.150.143, 4233, 49737 KEMINETAL Germany 56->117 119 googlehosted.l.googleusercontent.com 142.251.40.129, 443, 49706 GOOGLEUS United States 59->119 121 127.0.0.1 unknown unknown 59->121 123 clients2.googleusercontent.com 59->123 77 conhost.exe 65->77         started        79 conhost.exe 65->79         started        81 conhost.exe 65->81         started        83 10 other processes 65->83 signatures19 process20 process21 85 net1.exe 71->85         started       
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/39b93cf4481b121cf55a6e3cdf5b25ef
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-07-16 17:16:31 UTC
File Type:
PE (Exe)
AV detection:
24 of 38 (63.16%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mjog4glarwjoytrfjo56wwevbhlvhsynf4higm6behf3uje6xrua._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
095b0a89ef2484e672af40ae72288ac65151d637351d9a1dcebbbf048138d46e
Rhadamanthys
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Rhadamanthys
3a52d91b4d116a614f2a76d7fd58b88c086f28375942368c8b913796000a43db
Rhadamanthys
50cd136e622549f640a06120c22c47fb566c4555be8d94fa6740af74b9db489e
Rhadamanthys
56654126ffcc89d8cd7ef24233064b48688572adaca5e7a320404c4088e31f9f
Rhadamanthys
6136c6fc5919bc7e677e087f3616830d25d993f366bd9bfbf5a1a28f1285a438
Rhadamanthys
64b5ab61bf52abbad72621534950c673c3a58589088ac471ce50795cf406eab9
Rhadamanthys
8c4923f5e0b73bcf0b540e3f033cb21dd5ef91570430fa3fa36206673fb95e0c
Rhadamanthys
a2f1fa7763b8c5a8b4a79e63262f6b8bcdd7e019ac86bfc9b95f0422a874047d
Rhadamanthys
da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
Rhadamanthys
error
Rhadamanthys
+ 171 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250716-vtb87sysfv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/62db94d9-7651-4e4c-93fa-567fef6ebad6
Unpacked files
SH256 hash:
625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68
MD5 hash:
39b93cf4481b121cf55a6e3cdf5b25ef
SHA1 hash:
f220bba7e3f9f0db4ba441691df7d4482ab7c74d
Link:
https://www.unpac.me/results/fd1c9005-202d-46a8-8dfa-6e69125efa00/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/625c6e19608d92ec4e254bbbeb589509d753cb0d2f0e8333c121cbba249ebc68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14884/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments