MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 15

Intelligence 15 IOCs YARA 2 File information Comments

SHA256 hash:	6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef
SHA3-384 hash:	a185c4439a3a5c08b7b7a78e7b99e10e801051983816715dd78189bd83f74bc3ea3e69dc5da676e0369712888dafcf95
SHA1 hash:	4bcf07a8fde1d481e7547d9b9034c99e43ccb167
MD5 hash:	a364bfd0871961388394b5671d4fba6e
humanhash:	sad-potato-alaska-red
File name:	Boostrapper.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'584'696 bytes
First seen:	2025-09-20 05:00:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep	24576:a0AnF0KUTo2v3Wh9t2AVR8TldN2ynpv4pzSmJXzOWkcX7TYVPPfwpbdDMleM9H1:20KI3fS9ZR8TlX1eL02wVPdeMz
Threatray	2'913 similar samples on MalwareBazaar
TLSH	T1647533455106C1E1ECB206F235B1299B19FB7830897A1D77661CBF4E3D32E91EC2EA63
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10522/11/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika	pebin
Reporter	mazznrz
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Boostrapper.exe

Verdict:

Malicious activity

Analysis date:

2025-09-19 14:03:43 UTC

Tags:

autoit anti-evasion stealer rhadamanthys

Link:

https://app.any.run/tasks/c24fca50-23d5-4d8b-abf7-383b2648cc63

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/28419/

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68ce34ff246a2631bd3176c9

Tags:

autoit emotet spoof nsis

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% directory

Creating a window

Creating a file

Searching for the window

Searching for the Windows task manager window

Running batch commands

Creating a process with a hidden window

Launching cmd.exe command interpreter

Launching a process

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a process from a recently created file

DNS request

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug blackhole CAB darkgate expand installer lolbin microsoft_visual_cc nsis overlay packed unsafe

Link:

https://www.filescan.io/uploads/68ce34fb254431b688d658ee/reports/b9dd3359-9846-4bf8-b372-a92e70c95b36/overview

Verdict:

Malicious

Labled as:

Trojan_Win64_LummaStealer_rfn

Link:

https://www.hybrid-analysis.com/sample/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-19T09:38:00Z UTC

Last seen:

2025-09-19T09:38:00Z UTC

Hits:

~10

Link:

https://opentip.kaspersky.com/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/809373e7-12ac-4c3f-acf3-856feac975e2

Score:

94%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef

Verdict:

inconclusive

YARA:

5 match(es)

Tags:

Executable NSIS Installer PE (Portable Executable) PE Memory-Mapped (Dump)

Link:

https://app.malva.re/file/a364bfd0871961388394b5671d4fba6e

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef

Threat name:

Win32.Spyware.Rhadamanthys

Status:

Suspicious

First seen:

2025-09-19 18:31:39 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

16 of 24 (66.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=nza4gvmmmermqnsrwrx4kq3c5knmyzuhb5kkat4f2fg7umdj5xxq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

41baba6a17762d76900b0f7e16d39735fcf1cb5842d9501bf58fbe07bff60356

Rhadamanthys

48299f284a7df35f0417b3b952cc4737f40769a31d77199b0bdaab35cef2f752

Rhadamanthys

5198e4990bdd2cf13a830a459b2309ae8b3e6fbfdd4a8aef599037d82c5a07bf

Rhadamanthys

6e85fc9c4f8a1c79c47d2efd739dd934935cbc53f61a58a9d607b880484594c7

Rhadamanthys

90b230c7b8c4991a8f657bc8031157a9070c24eb3de9cd074241985dc99489c0

Rhadamanthys

b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653

Rhadamanthys

c7f881debe7f6186cffbd04858766dfebac68f73f99444718932e47a0968d325

Rhadamanthys

ca8cf8aa0bab28b391de182e61cf7f9e8f8464717ab971384b73db628aef7267

Rhadamanthys

error

Rhadamanthys

f952862b20218f50c028a60c9d62eb3ee9fda8eb79eaf5d7fb737df776f42004

Rhadamanthys

+ 2'903 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250920-fnckfsdj61/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Enumerates processes with tasklist

Executes dropped EXE

Loads dropped DLL

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/7e1ca60a-24ff-4dbf-8891-cb588a09c996

Unpacked files

SH256 hash:

6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef

MD5 hash:

a364bfd0871961388394b5671d4fba6e

SHA1 hash:

4bcf07a8fde1d481e7547d9b9034c99e43ccb167

Link:

https://www.unpac.me/results/7f7fc37a-724f-42a0-87f5-eba82d1adbf4/

SH256 hash:

bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3

MD5 hash:

094ae615109634f48bede4a612e36fc8

SHA1 hash:

a8b8cbf4d8a7f368b3ae53090bab40a2793657eb

Link:

https://www.unpac.me/results/7f7fc37a-724f-42a0-87f5-eba82d1adbf4/

SH256 hash:

8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af

MD5 hash:

08e9796ca20c5fc5076e3ac05fb5709a

SHA1 hash:

07971d52dcbaa1054060073571ced046347177f7

Link:

https://www.unpac.me/results/7f7fc37a-724f-42a0-87f5-eba82d1adbf4/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6e41c3558c6122c83651b46fc54362ea9acc66870f54a04f85d14dfa3069edef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	Detect_NSIS_Nullsoft_Installer Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects NSIS installers by .ndata section + NSIS header string