MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2
SHA3-384 hash: 1783af2cf65416baf2cbeb7b583b9722aa1f047e3799cf79bd2638941bbae78640fcea33ccedcfc9a5317bbf1a941381
SHA1 hash: b8139ab05fd2d2ab81a0ea45768d9cfdf24d3806
MD5 hash: cfc78e1f51e146667c246eda3259f8e0
humanhash: georgia-bakerloo-fanta-queen
File name:sdHookpp.64.dll
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'129'144 bytes
First seen:2025-10-27 17:16:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0951d9f67c9a9e1b6ea746ed01bccc26 (18 x Rhadamanthys, 4 x Vidar, 1 x AmateraStealer)
ssdeep 49152:q4gZKpkwa2RcN0F/7Yxc9TS49VP0gvmb+W3s9:qnp2Rz/7YxcVS4XP0RbW9
Threatray 432 similar samples on MalwareBazaar
TLSH T185E5C22EA890985CC29D4538AF6A814175727F4D3B2733D31952B274AFF96DB383AF10
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sdHookpp.64.dll
Verdict:
Malicious activity
Analysis date:
2025-10-27 17:15:51 UTC
Tags:
rhadamanthys stealer golang
Link:
https://app.any.run/tasks/652793c6-d862-4681-8b9e-2b090e97df3d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34318/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ffa8ec5de5ca270752e992
Tags:
injection obfusc virus
Result
Verdict:
Clean
Maliciousness:

Behaviour
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Verdict:
Suspicious
Labled as:
Win64/GenKryptik.HMIC trojan
Link:
https://www.hybrid-analysis.com/sample/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2
Verdict:
Clean
File Type:
dll x64
First seen:
2025-10-27T14:31:00Z UTC
Last seen:
2025-10-27T14:59:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f8e258cc-c9d7-4c5d-ba14-5b77083a1197
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1802621
Signature
Allocates memory in foreign processes
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Found many strings related to Crypto-Wallets (likely being stolen)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queues an APC in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1802621 Sample: sdHookpp.64.dll.exe Startdate: 27/10/2025 Architecture: WINDOWS Score: 100 62 x.ns.gin.ntt.net 2->62 64 twc.trafficmanager.net 2->64 66 13 other IPs or domains 2->66 90 Multi AV Scanner detection for submitted file 2->90 92 Yara detected RHADAMANTHYS Stealer 2->92 10 loaddll64.exe 1 2->10         started        12 elevation_service.exe 2->12         started        signatures3 process4 process5 14 rundll32.exe 10->14         started        18 cmd.exe 1 10->18         started        20 rundll32.exe 10->20         started        22 6 other processes 10->22 dnsIp6 70 94.74.164.94, 49716, 49717, 49718 FARAHOOSHIR Iran (ISLAMIC Republic Of) 14->70 72 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 14->72 78 3 other IPs or domains 14->78 106 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->106 108 Tries to steal Mail credentials (via file / registry access) 14->108 110 Found many strings related to Crypto-Wallets (likely being stolen) 14->110 122 4 other signatures 14->122 24 wmlaunch.exe 14->24         started        27 chrome.exe 14->27         started        29 WerFault.exe 14->29         started        31 rundll32.exe 18->31         started        112 System process connects to network (likely due to code injection or exploit) 20->112 114 Tries to harvest and steal ftp login credentials 20->114 116 Tries to harvest and steal browser information (history, passwords, etc) 20->116 40 2 other processes 20->40 74 ntp.nict.jp 133.243.238.163 NICTNationalInstituteofInformationandCommunicationsTe Japan 22->74 76 ntp1.hetzner.de 213.239.239.164 HETZNER-ASDE Germany 22->76 118 Maps a DLL or memory area into another process 22->118 120 Tries to harvest and steal Bitcoin Wallet information 22->120 34 WerFault.exe 2 22->34         started        36 chrome.exe 22->36         started        38 chrome.exe 22->38         started        42 3 other processes 22->42 signatures7 process8 dnsIp9 94 Writes to foreign memory regions 24->94 96 Allocates memory in foreign processes 24->96 44 dllhost.exe 24->44         started        46 dllhost.exe 24->46         started        48 dllhost.exe 24->48         started        57 2 other processes 24->57 80 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 31->80 82 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 31->82 84 5 other IPs or domains 31->84 98 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 31->98 100 Tries to steal Mail credentials (via file / registry access) 31->100 102 Found many strings related to Crypto-Wallets (likely being stolen) 31->102 104 2 other signatures 31->104 50 wmlaunch.exe 31->50         started        53 chrome.exe 31->53         started        55 WerFault.exe 31->55         started        signatures10 process11 signatures12 86 Writes to foreign memory regions 50->86 88 Allocates memory in foreign processes 50->88 59 dllhost.exe 50->59         started        process13 dnsIp14 68 176.46.141.11 ESTPAKEE Iran (ISLAMIC Republic Of) 59->68
Score:
79%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cfc78e1f51e146667c246eda3259f8e0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-10-27 17:16:19 UTC
File Type:
PE+ (Dll)
Extracted files:
20
AV detection:
19 of 38 (50.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nzsoxf6mi3lhsgu5twanilwkxnl7fjx55t4xfw2iaeztxl2vv6ra._file
Verdict:
malicious
Label(s):
smokeloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
4f163bfa3869ae475b639f1c2caf40828331ca2e6c4a8b30750e5f4a0c164c10
Rhadamanthys
5454c752972ea61fa619b6b687597e86f54ed685b92f1e5beadf65791adbe130
Rhadamanthys
5545a23dfc8b49f7f8196de40c957895e6ac102ed24994fc00a9df45d2cc7afb
Rhadamanthys
667042d2b9e6a7ce756504339331b15b9810dcbc22eab743fb435110669452ce
Rhadamanthys
8bf0ab02e9370d26ed8b4fb7cf39a8d7708b69a31b406836598f2515d25f2be2
Rhadamanthys
a175866ee7d1de8b338c5879dca1794f6ec32a18b1a0f3ff47a6fa87e33f761f
Rhadamanthys
bbb0b744632fe251819233d4c693758a4e8d20b3b88f5605a60aaebb4ae1ed9d
Rhadamanthys
d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389
Rhadamanthys
d813b9c2a13e3e2d7423a2496a8d7397df8135cf0376d1fad06cb3af794a651e
Rhadamanthys
error
Rhadamanthys
+ 422 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/251027-vtl4eayrb1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dfa68466-643a-4b37-b84b-75efa1d3ced2
Unpacked files
SH256 hash:
6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2
MD5 hash:
cfc78e1f51e146667c246eda3259f8e0
SHA1 hash:
b8139ab05fd2d2ab81a0ea45768d9cfdf24d3806
Link:
https://www.unpac.me/results/b5432a16-cd18-4dec-b013-018dc4b8c316/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/6e64eb97cc46d6791a9d9d80d42ecabb57f2a6fdecf972db4801333baf55afa2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34318/

Comments