MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992
SHA3-384 hash: 2d128d2ae36a8d7c57911aba2f4773e47c69bb7499635eb63147544640a3918e8196c473d5cf08fc2e712b08f2907c87
SHA1 hash: 8050d69a01252da2bb195eb2d8853233a8dd9cde
MD5 hash: 11401d27fd29e824c4ec9d6bf61a48c4
humanhash: bacon-mars-uncle-social
File name:11401d27fd29e824c4ec9d6bf61a48c4.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'683'312 bytes
First seen:2025-10-24 09:07:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep 49152:Zpob3pbPK6Y1VB7QthY5JeyoqRZp1R711Zqop7be:ZkJPfvaPeyNRZ7jG
Threatray 241 similar samples on MalwareBazaar
TLSH T14D75231253F42861E0B76B7168F18203EA313D625FB847BF125CDA7A5FE36906A31727
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
112
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://www.4sync.com/web/directDownload/FEdmHuqk/TFKslE2D.060ef0f710400e694ef6e5dbeca2f8c2
Verdict:
Malicious activity
Analysis date:
2025-10-22 14:41:26 UTC
Tags:
arch-exec lumma stealer autoit
Link:
https://app.any.run/tasks/27a4f19d-53f7-4d6a-82aa-e130d369ef48

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34011/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fb41e73bdc93eb0563c8a0
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
DNS request
Creating a window
Connection attempt
Creating a process from a recently created file
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB dllhost installer invalid-signature lolbin microsoft_visual_cc obfuscated packed packed packer_detected rundll32 runonce signed threat
Link:
https://www.filescan.io/uploads/68fb41f53a79800405f47f05/reports/1affbcb9-9baf-437e-b1e5-471dd9b3a89f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-20T17:33:00Z UTC
Last seen:
2025-10-26T05:47:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Agent.mywylw Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/38b1404d-0a9e-44f0-8dbb-aa4340fbf45f
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801145
Signature
Allocates memory in foreign processes
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Dllhost.EXE Execution Anomaly
Sigma detected: Search for Antivirus process
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801145 Sample: b4RwfubiUx.exe Startdate: 24/10/2025 Architecture: WINDOWS Score: 100 52 ts1.aco.net 2->52 54 time.google.com 2->54 56 9 other IPs or domains 2->56 66 Multi AV Scanner detection for submitted file 2->66 68 Yara detected RHADAMANTHYS Stealer 2->68 70 Sigma detected: Search for Antivirus process 2->70 72 2 other signatures 2->72 10 b4RwfubiUx.exe 1 10 2->10         started        12 elevation_service.exe 2->12         started        14 elevation_service.exe 2->14         started        16 3 other processes 2->16 signatures3 process4 process5 18 OpenWith.exe 10->18         started        22 cmd.exe 4 10->22         started        25 dllhost.exe 10->25         started        dnsIp6 58 time-a-g.nist.gov 129.6.15.28, 123, 64318 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 18->58 60 gbg1.ntp.netnod.se 194.58.203.20, 123, 64318 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 18->60 62 7 other IPs or domains 18->62 74 Early bird code injection technique detected 18->74 76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->76 78 Tries to steal Mail credentials (via file / registry access) 18->78 84 8 other signatures 18->84 27 wmprph.exe 18->27         started        30 chrome.exe 18->30         started        50 C:\Users\user\AppData\Local\...\Smith.scr, PE32+ 22->50 dropped 80 Detected CypherIt Packer 22->80 82 Drops PE files with a suspicious file extension 22->82 32 Smith.scr 22->32         started        34 extrac32.exe 20 22->34         started        37 conhost.exe 22->37         started        39 4 other processes 22->39 file7 signatures8 process9 file10 86 Writes to foreign memory regions 27->86 88 Allocates memory in foreign processes 27->88 41 dllhost.exe 27->41         started        90 Hijacks the control flow in another process 32->90 92 Modifies the context of a thread in another process (thread injection) 32->92 94 Injects a PE file into a foreign processes 32->94 96 Found direct / indirect Syscall (likely to bypass EDR) 32->96 44 Smith.scr 32->44         started        48 C:\Users\user\AppData\Local\Temp\...\Ordering, DOS 34->48 dropped signatures11 process12 dnsIp13 64 178.16.54.246, 44133, 49697 DUSNET-ASDE Germany 41->64 46 WerFault.exe 2 44->46         started        process14
Score:
50%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-10-20 23:36:36 UTC
File Type:
PE+ (Exe)
Extracted files:
35
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oazxqoqejupem623gphj66pwjel3xpqdwfo6l7jdn4oshl4kbgja._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
41d223f5a7540d5cef87b3fd0a0e1ed42001ac2cd8ae8df8058a5f9498a34ff3
Rhadamanthys
7fae74b217d01c61bec250906a59f2dd73668d4044fb415dd07f0c1e3d43cc69
Rhadamanthys
98d703fc2be44a9c49d94e738e18c6b2ea7174888b3bf03cfb18ca7d402379a1
Rhadamanthys
b4b6f14fd5376bcdbe3d8b259cf5b566c861e940a2cc783e7939c24d0a0eee54
Rhadamanthys
dbdab701feecc382b037b61b4268f1f796c28f3c30d77e18506cb1646bf9cb0b
Rhadamanthys
e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
Rhadamanthys
e744bf7ed6e32efff0490e0582bb26ee0439ba1a47e921af3637877c4aaec933
Rhadamanthys
ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
Rhadamanthys
error
Rhadamanthys
f8df95de90e0a61244b771280ffd304b652095225e1f6f487c20be09083366ce
Rhadamanthys
+ 231 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251024-k3vrssfl6s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/cce0a62b-93b7-4f2d-b71a-789965454045
Unpacked files
SH256 hash:
7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992
MD5 hash:
11401d27fd29e824c4ec9d6bf61a48c4
SHA1 hash:
8050d69a01252da2bb195eb2d8853233a8dd9cde
Link:
https://www.unpac.me/results/a757dfe5-687b-47b0-ae2c-d9ebac6dcc57/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7033783a044d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7033783a044d1e467b5b33ce9f79f64917bbbe03b15de5fd236f1d23af8a0992

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34011/

Comments