MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 10 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
SHA3-384 hash: 6c8fd4aed88f011965510b48d6243944257f775baaa2c09f93a9dbcc5e43422509f54601669b53b63d093f4b955e6622
SHA1 hash: 02cdd0e855218c1faa6d54a31943ef6c8fe3afc6
MD5 hash: f3682387e752985763957e119e371e66
humanhash: green-mississippi-alanine-purple
File name:[x86][x64]_Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'081'728 bytes
First seen:2025-03-19 05:20:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7384584e673981d184ff0b4b6a3ffac7 (2 x Rhadamanthys)
ssdeep 49152:sYPKuZyw8rlFH4ymLqOkrOwmlIUv9+TQBfmSiQuubfIHj0QWkz6GEnE4reClt:jKul8rLH4ymLqDrOZrTO5TupGSEmeClt
Threatray 63 similar samples on MalwareBazaar
TLSH T114E5D0127291C0B6D1530D7069BCAB6AA5BDBF705B318983B3803F6CA971AC3D525E1F
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon ba451b6579456549 (2 x Rhadamanthys, 1 x Formbook, 1 x CryptBot)
Reporter abuse_ch
Tags:de-pumped exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
461
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
[x86][x64]_Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-03-19 05:21:23 UTC
Tags:
rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/9c54df4c-3810-46b6-a25e-7f17853d4b31

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67da5696194f23322a7103d4
Tags:
downloader dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Creating a window
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
aeroadmin crypto explorer fingerprint keylogger lolbin microsoft_visual_cc packed packed packer_detected remote
Link:
https://www.filescan.io/uploads/67da54480a7899f3579d37fc/reports/c073b012-c9ab-4a94-878b-453773cbec6c/overview
Verdict:
Malicious
Labled as:
Infostealer/LummaC2
Link:
https://www.hybrid-analysis.com/sample/6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/a9003b3b-19f8-459d-9285-7f1ce2c3bdf0
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1642544
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-03-19 05:21:12 UTC
File Type:
PE (Exe)
Extracted files:
7
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nr7blv55guzt3ubeczewstxz7cuf7eta2bqputnlhtcq4fqyh3ma._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
7c3df25808e764c61d9db2d4021d2e8d2f266b710bed35ce91e7384ded271faf
Rhadamanthys
82285aaafe378305cd523e4bb1ad93725ba51501c7dcfc68af15512017115b9a
Rhadamanthys
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1
Rhadamanthys
a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7
Rhadamanthys
b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Rhadamanthys
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
Rhadamanthys
e2f944cbcda22e6fd727f93514d11a7885f4bae6c6c5f33630e737b7c861907e
Rhadamanthys
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Rhadamanthys
error
Rhadamanthys
+ 53 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250319-f13bmssxas/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0b8fc1ad-282a-40fb-bb10-7c35e3537906
Unpacked files
SH256 hash:
6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
MD5 hash:
f3682387e752985763957e119e371e66
SHA1 hash:
02cdd0e855218c1faa6d54a31943ef6c8fe3afc6
Link:
https://www.unpac.me/results/e25a8f6a-9ed6-405f-85cb-1bc8f26f1779/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6c7e15d7bd35/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__ConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_RMM_AeroAdmin
Create hunting rule
Author:ditekSHen
Description:Detects AeroAdmin. Review RMM Inventory
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

7z 2c5a74fdffdce61b603d02022c932b36204fdc8db9ef69b46f39d5404a4c2312

Rhadamanthys

Executable exe 6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8

(this sample)

  
Dropped by
MD5 f9a15a0ca1aad9af4768c8cef74cb820
  
Dropped by
SHA256 2c5a74fdffdce61b603d02022c932b36204fdc8db9ef69b46f39d5404a4c2312

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::SetSecurityInfo
ADVAPI32.dll::SetTokenInformation
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdiplusShutdown
gdiplus.dll::GdipGetImageEncodersSize
gdiplus.dll::GdipGetImageEncoders
gdiplus.dll::GdipAlloc
MULTIMEDIA_APICan Play MultimediaWINMM.dll::timeBeginPeriod
WINMM.dll::timeEndPeriod
WINMM.dll::waveInAddBuffer
WINMM.dll::waveInClose
WINMM.dll::waveInGetDevCapsW
WINMM.dll::waveInGetNumDevs
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::CheckTokenMembership
ADVAPI32.dll::DuplicateTokenEx
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetFileSecurityW
ADVAPI32.dll::SetSecurityDescriptorDacl
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::ShellExecuteExW
SHELL32.dll::SHGetFileInfoW
URL_MONIKERS_APICan Download & Execute componentsurlmon.dll::URLDownloadToFileW
urlmon.dll::URLOpenBlockingStreamW
WIN32_PROCESS_APICan Create Process and ThreadsADVAPI32.dll::CreateProcessAsUserW
ADVAPI32.dll::CreateProcessWithLogonW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
WINHTTP.dll::WinHttpCloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetVolumeInformationW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetDiskFreeSpaceExW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::AttachConsole
KERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
IPHLPAPI.DLL::IcmpCreateFile
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
WIN_BASE_USER_APIRetrieves Account InformationKERNEL32.dll::GetComputerNameW
ADVAPI32.dll::LogonUserW
ADVAPI32.dll::LookupAccountSidW
ADVAPI32.dll::LookupPrivilegeValueW
WIN_CRYPT_APIUses Windows Crypt APICRYPT32.dll::CertGetCertificateContextProperty
ADVAPI32.dll::CryptAcquireContextW
ADVAPI32.dll::CryptGenRandom
WIN_HTTP_APIUses HTTP servicesWINHTTP.dll::WinHttpAddRequestHeaders
WINHTTP.dll::WinHttpConnect
WINHTTP.dll::WinHttpOpen
WINHTTP.dll::WinHttpOpenRequest
WINHTTP.dll::WinHttpQueryDataAvailable
WINHTTP.dll::WinHttpQueryOption
WIN_NETWORK_APISupports Windows NetworkingMPR.dll::WNetEnumResourceW
MPR.dll::WNetOpenEnumW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SOCK_APIUses Network to send and receive dataWS2_32.dll::freeaddrinfo
WS2_32.dll::getaddrinfo
WS2_32.dll::WSAConnect
WS2_32.dll::WSASocketW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::ChangeServiceConfig2W
ADVAPI32.dll::CreateServiceW
ADVAPI32.dll::OpenSCManagerW
ADVAPI32.dll::OpenServiceW
ADVAPI32.dll::RegisterServiceCtrlHandlerExW
ADVAPI32.dll::StartServiceW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::BroadcastSystemMessageW
USER32.dll::CloseDesktop
USER32.dll::CreateMenu
USER32.dll::EmptyClipboard
USER32.dll::FindWindowW
USER32.dll::LockWorkStation

Comments