MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
SHA3-384 hash: 57c734fd617beebddef14ed9fafa21ab2a95a623c30e9a9003138a935d7f94829161299d2fb005045f9279642e4ef63f
SHA1 hash: c401c64ba4e3bb806659a19b2fa3c7c3912f242b
MD5 hash: 96fb2ae41998223722571eb8961bdfaf
humanhash: stairway-blue-fifteen-single
File name:RobloxScriptManager.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'658'464 bytes
First seen:2025-10-01 13:46:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c32ba42c73a2bc24d2788f7750d87edb (45 x LummaStealer, 37 x Rhadamanthys, 3 x Vidar)
ssdeep 49152:FFhoMJCprgek2F2xgJq/Ybi0UA092CujG:FnoMJCprbk2FnJJbi0twCG
Threatray 88 similar samples on MalwareBazaar
TLSH T1A57533060940E023F46A467B768871F9DBDA1E2500F1A05DABE1FA0F7F723C6956FAD1
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RobloxScriptManager.exe
Verdict:
Malicious activity
Analysis date:
2025-10-01 13:45:37 UTC
Tags:
autoit anti-evasion stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/f73ef378-040a-4532-b2cf-07c35a4ecf30

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29769/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dd30c640b7da0b4eb944d7
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc nsis overlay self-signed-cert short-lived-cert signed
Link:
https://www.filescan.io/uploads/68dd30fac564c8e81d0bc2de/reports/70cca5ca-1d8c-4b07-8767-76a7b25072bc/overview
Verdict:
Suspicious
Labled as:
Malware
Link:
https://www.hybrid-analysis.com/sample/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-01T10:40:00Z UTC
Last seen:
2025-10-02T09:55:00Z UTC
Hits:
~10
Detections:
Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb HEUR:Trojan.Script.AUO.gen HEUR:Trojan.Win32.Autoit.gen
Link:
https://opentip.kaspersky.com/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2aba7314-77ee-42b9-b5f6-ff61512c1cb3
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787353
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Antivirus detection for URL or domain
Detected CypherIt Packer
Disable Windows Defender notifications (registry)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies the context of a thread in another process (thread injection)
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Sigma detected: Stop EventLog
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses powercfg.exe to modify the power settings
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1787353 Sample: RobloxScriptManager.exe Startdate: 01/10/2025 Architecture: WINDOWS Score: 100 110 x.ns.gin.ntt.net 2->110 112 twc.trafficmanager.net 2->112 114 8 other IPs or domains 2->114 136 Antivirus detection for URL or domain 2->136 138 Antivirus detection for dropped file 2->138 140 Multi AV Scanner detection for submitted file 2->140 142 7 other signatures 2->142 14 RobloxScriptManager.exe 27 2->14         started        17 svchost.exe 3 4 2->17         started        19 elevation_service.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 file5 108 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 14->108 dropped 23 cmd.exe 1 14->23         started        26 WerFault.exe 2 17->26         started        process6 signatures7 158 Detected CypherIt Packer 23->158 160 Drops PE files with a suspicious file extension 23->160 28 cmd.exe 4 23->28         started        32 conhost.exe 23->32         started        162 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 26->162 164 Queries memory information (via WMI often done to detect virtual machines) 26->164 process8 file9 102 C:\Users\user\AppData\Local\...\Interim.scr, PE32+ 28->102 dropped 166 Detected CypherIt Packer 28->166 34 Interim.scr 28->34         started        37 extrac32.exe 17 28->37         started        39 tasklist.exe 1 28->39         started        41 5 other processes 28->41 signatures10 process11 signatures12 128 Hijacks the control flow in another process 34->128 130 Modifies the context of a thread in another process (thread injection) 34->130 132 Injects a PE file into a foreign processes 34->132 134 Found direct / indirect Syscall (likely to bypass EDR) 34->134 43 OpenWith.exe 5 34->43         started        48 Interim.scr 34->48         started        process13 dnsIp14 122 169.229.128.134 UCBUS United States 43->122 124 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 43->124 126 8 other IPs or domains 43->126 104 C:\Users\user\AppData\Local\...\t5AxQ5j.exe, PE32+ 43->104 dropped 106 C:\Users\user\AppData\Local\...\TJ$9i.exe, PE32+ 43->106 dropped 168 Early bird code injection technique detected 43->168 170 Found evasive API chain (may stop execution after checking mutex) 43->170 172 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 43->172 174 8 other signatures 43->174 50 TJ$9i.exe 43->50         started        54 t5AxQ5j.exe 43->54         started        56 chrome.exe 43->56         started        58 chrome.exe 43->58         started        60 WerFault.exe 48->60         started        file15 signatures16 process17 file18 98 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 50->98 dropped 144 Antivirus detection for dropped file 50->144 146 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 50->146 148 Query firmware table information (likely to detect VMs) 50->148 156 4 other signatures 50->156 62 cmd.exe 50->62         started        65 cmd.exe 50->65         started        67 powershell.exe 50->67         started        76 15 other processes 50->76 100 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 54->100 dropped 150 Queries memory information (via WMI often done to detect virtual machines) 54->150 152 Drops PE files with benign system names 54->152 154 Found direct / indirect Syscall (likely to bypass EDR) 54->154 69 cmd.exe 54->69         started        71 chrome.exe 56->71         started        74 chrome.exe 56->74         started        signatures19 process20 dnsIp21 176 Uses powercfg.exe to modify the power settings 62->176 178 Modifies power options to not sleep / hibernate 62->178 78 net.exe 62->78         started        80 conhost.exe 62->80         started        82 conhost.exe 65->82         started        92 2 other processes 65->92 180 Loading BitLocker PowerShell Module 67->180 84 conhost.exe 69->84         started        116 googlehosted.l.googleusercontent.com 142.250.64.193, 443, 49736, 49737 GOOGLEUS United States 71->116 118 127.0.0.1 unknown unknown 71->118 120 clients2.googleusercontent.com 71->120 86 conhost.exe 76->86         started        88 conhost.exe 76->88         started        90 conhost.exe 76->90         started        94 14 other processes 76->94 signatures22 process23 process24 96 net1.exe 78->96         started       
Score:
77%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-10-01 13:46:48 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
20 of 38 (52.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ni6rcfay3lt2ilsfmvipfx532cnmdxygr43esmizy37pvqpubyta._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
49e86f8f81cc8dad354e988d8d8baf2f79d45d7f7c542785ce37409df92bee6c
Rhadamanthys
501023ffbeb8e60ac29e59b1d06398386cbcf725d7d905f59847b611b6c1f6ae
Rhadamanthys
6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
Rhadamanthys
9ce5ffbac54a8c852bebb64e472487c6685b35b9fd722b321fff4c48a57d6309
Rhadamanthys
b253a1dd0eef41a206dd2cc6aa21511bc149f5554c102e27b20ffae7ef3d08c1
Rhadamanthys
bf99ffa607b67877a42af7dfc788553d09baabe541aec003fe9f73bcd3fa172d
Rhadamanthys
d5b426bc6569086b367a780f54fafc285357ab72fd084cdbf71ce0b15a185d6b
Rhadamanthys
dbf13a20fc8a6ed7d68167f9109b8bf0aab59a31e62e226e6f027be514dbbe87
Rhadamanthys
error
Rhadamanthys
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/251001-q3tgmafp7w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d5f995c8-e1ce-4dd4-8ade-f6df6a0ce4e2
Unpacked files
SH256 hash:
6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26
MD5 hash:
96fb2ae41998223722571eb8961bdfaf
SHA1 hash:
c401c64ba4e3bb806659a19b2fa3c7c3912f242b
Link:
https://www.unpac.me/results/0d8cec94-29bd-4206-a596-adb7c13c7c2c/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/0d8cec94-29bd-4206-a596-adb7c13c7c2c/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/0d8cec94-29bd-4206-a596-adb7c13c7c2c/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6a3d111418da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6a3d111418dae7a42e456550f2dfbbd09ac1df068f36493119c6fefac1f40e26

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29769/

Comments