MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 18


Intelligence 18 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773
SHA3-384 hash: 84d2da66378b2738ca194eaf74c04f962e08106fe8bc4eb4a2b134af076001bc3787b085fc02447969fdc4c14269f57d
SHA1 hash: b0f14ed7aa5f9f9bc7f75543d12ac291cf1af740
MD5 hash: aaf6451fb8099a85fa459a16f8595bad
humanhash: beer-winter-mars-equal
File name:64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'042'944 bytes
First seen:2025-09-10 06:02:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1deeab33a3db0d2c20caa9f7afb33436 (6 x Rhadamanthys)
ssdeep 24576:cxS3p0KAFs3l/i8gtvuLhEG4sWY2qHFqg9SfXMbY:cxS5XAu3l/KuLhr/WfgFTSfXMU
Threatray 40 similar samples on MalwareBazaar
TLSH T1BE250142F1F380A3F74394F02A79A679582DFA63A7380DDB6184F634A5749D2173362B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773.exe
Verdict:
No threats detected
Analysis date:
2025-09-08 17:20:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c26f7061-011d-4b3a-9f1e-ee69724cdaa4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26603/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c114bf6e66ba602d79b887
Tags:
cobalt virus core
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypt crypto microsoft_visual_cc packed
Link:
https://www.filescan.io/uploads/68c114bc1b52c70384b8bc94/reports/68ec3702-0dbc-4adb-ba3a-b3f5b7701032/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T14:29:00Z UTC
Last seen:
2025-09-08T14:29:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Crypt.sb Trojan-PSW.Win32.Crypt.iz Trojan.Win64.SBEscape.sb
Link:
https://opentip.kaspersky.com/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d393f696-aa49-4b0a-bd0d-6112b2874d9d
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1774445
Signature
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1774445 Sample: Ihbs7Tedpj.exe Startdate: 10/09/2025 Architecture: WINDOWS Score: 96 49 twc.trafficmanager.net 2->49 51 time.windows.com 2->51 53 5 other IPs or domains 2->53 79 Suricata IDS alerts for network traffic 2->79 81 Multi AV Scanner detection for submitted file 2->81 83 Yara detected RHADAMANTHYS Stealer 2->83 85 Found many strings related to Crypto-Wallets (likely being stolen) 2->85 9 Ihbs7Tedpj.exe 1 2->9         started        13 msedge.exe 104 376 2->13         started        15 elevation_service.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 67 94.74.164.157, 49685, 49724, 49725 FARAHOOSHIR Iran (ISLAMIC Republic Of) 9->67 95 Found many strings related to Crypto-Wallets (likely being stolen) 9->95 97 Switches to a custom stack to bypass stack traces 9->97 99 Found direct / indirect Syscall (likely to bypass EDR) 9->99 19 dllhost.exe 6 9->19         started        23 conhost.exe 9->23         started        69 239.255.255.250 unknown Reserved 13->69 25 msedge.exe 13->25         started        27 msedge.exe 13->27         started        29 msedge.exe 13->29         started        31 2 other processes 13->31 signatures6 process7 dnsIp8 55 time-a-g.nist.gov 129.6.15.28, 123, 51674 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 19->55 57 twc.trafficmanager.net 40.119.6.228, 123, 51674 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->57 63 4 other IPs or domains 19->63 87 Early bird code injection technique detected 19->87 89 Found many strings related to Crypto-Wallets (likely being stolen) 19->89 91 Tries to harvest and steal browser information (history, passwords, etc) 19->91 93 2 other signatures 19->93 33 chrome.exe 19->33         started        36 msedge.exe 14 19->36         started        38 chrome.exe 19->38         started        40 setup_wm.exe 19->40         started        59 192.168.2.5, 123, 138, 443 unknown unknown 25->59 61 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49708, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->61 65 12 other IPs or domains 25->65 signatures9 process10 signatures11 77 Found many strings related to Crypto-Wallets (likely being stolen) 33->77 42 chrome.exe 33->42         started        45 chrome.exe 33->45         started        47 msedge.exe 36->47         started        process12 dnsIp13 71 googlehosted.l.googleusercontent.com 172.217.12.97, 443, 49699, 49700 GOOGLEUS United States 42->71 73 127.0.0.1 unknown unknown 42->73 75 clients2.googleusercontent.com 42->75
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-08 17:20:27 UTC
File Type:
PE (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=msagx2u4mpde6zp7rgcbucbvi7okopha7cenba6gyhdum4ccq5zq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
62e6ff50f518e486bc4a0f6cf6be993eae8a62d6e257d4d294460ae30692299c
Rhadamanthys
677be338532b255e041fda3f46d6dc8ab38f332bc9e00c53d9d3708e7c1422a7
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
9fa816137ebc8147afb914999724d61d979c56b2fb5680a8f38f36a2e173174d
Rhadamanthys
a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
Rhadamanthys
d5d1a3362fe4e63bca40faa5c0a201a56c76cd27c1ce4c0b11a6bc13c3e19941
Rhadamanthys
ec64fe244d21180574fca2a74e1c1d84983ed58dfd7992880591e7759e390f10
Rhadamanthys
error
Rhadamanthys
fdfbc1ca939418ba3fe30ef9daca82ae843fec06997f3a21d70aeb9c18f997b6
Rhadamanthys
+ 30 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250910-gsclpavrv3/
Behaviour
System Location Discovery: System Language Discovery
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/63baf8a8-3428-4b5c-b777-4b26fd05ae22
Unpacked files
SH256 hash:
64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773
MD5 hash:
aaf6451fb8099a85fa459a16f8595bad
SHA1 hash:
b0f14ed7aa5f9f9bc7f75543d12ac291cf1af740
Link:
https://www.unpac.me/results/10cfc0ec-69b7-4945-8802-6e0a9bd290e6/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/64806bea9c63/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64806bea9c63c64f65ff89841a083547dca73ce0f888d083c6c1c74670428773

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26603/

Comments