MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976
SHA3-384 hash: 2f9821de9b79d975fa308db69ba3e51d178c06d474c95d224d2da282dbabf6824e91ace6b40fe3ad25d38b300abb36ec
SHA1 hash: f8c9d496eaf360127c9809aca9c679355e2063be
MD5 hash: 269d9cbb3424b1570f873e8227b50c91
humanhash: missouri-oranges-early-cold
File name:unwounded.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'847'424 bytes
First seen:2025-09-19 17:47:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 24576:nYuU3mNsDYe5wjcPhLGm0TDigKoMFvHgd0CHSyxr4ghpgZBi4dXjqg:PU3mNEYe5HhYPigKoovHE0C5rVgZBiid
Threatray 410 similar samples on MalwareBazaar
TLSH T130857C37BC9410B9E4A5D23188F151937A31BC690B3273DF6E4CB6BA2AF67D40939394
gimphash a6acd30aa7b57bbde504403ef276359d5c1ad12a087c57714144cea7de5962d3
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:77-105-161-114 exe Rhadamanthys


Avatar
iamaachum
https://mega.nz/file/PlRT1Zpa#PXjA98NcTIrA9_zXcJYHEJdDXuSIon1LsmjerXfpob0

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
unwounded.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 17:28:41 UTC
Tags:
golang anti-evasion rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/d5378903-c863-4446-90bf-16ee1c9072cb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28371/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cd92c9246a2631bd312543
Tags:
injection emotet obfusc
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm golang invalid-signature signed
Link:
https://www.filescan.io/uploads/68cd9763e39a6830ee40ae8f/reports/88ca8a86-a5b9-459d-872f-226220e4862a/overview
Verdict:
Malicious
Labled as:
WinGo/Kryptik.IZ trojan
Link:
https://www.hybrid-analysis.com/sample/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-19T23:40:00Z UTC
Last seen:
2025-09-19T23:40:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Crypt.sb Trojan-PSW.Win32.Crypt.mq
Link:
https://opentip.kaspersky.com/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/2d35fe0c-fc49-459b-9363-49e1c96f2a89
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1780915
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Uses Windows timers to delay execution
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/269d9cbb3424b1570f873e8227b50c91
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 17:37:23 UTC
File Type:
PE+ (Exe)
Extracted files:
17
AV detection:
20 of 38 (52.63%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oh2lc55llw7yiq4xleo63j6lw5ilj7b53id4cd2b5y6xmfjhrf3a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
2fa08478b989da7327bcb2c22eefc626126d357de831b8182474ba1ac6240033
Rhadamanthys
3857aac49d606c982a866f460de14a479c1482d672d1b17392555e69b8ff6dcd
Rhadamanthys
6ae3e47a682279854e2c2ecbbe8fcddd5a763a3506089e74454c8fff027301ad
Rhadamanthys
88a82bdbb8f6efe6448316c05c881d65b564efb9bd7588363683fa07d11b8a86
Rhadamanthys
9e4a0b96a349285d56db12ff601ef94e16da03c5a71460995d218e4a84b17c63
Rhadamanthys
a14ca283ce205cbc9c1ca540cdfc17ff62e28557de5fa1eedfdddfdd4456b27e
Rhadamanthys
aaa80a57fa8ecfcdcec28fec4b338eb015925e2e2b57b4aa910d559bce58199c
Rhadamanthys
c2d5e6e925c2450d4d5d8cba94c7570049a4da43647165fe9db23e009c977f91
Rhadamanthys
e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
Rhadamanthys
error
Rhadamanthys
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Rhadamanthys
+ 400 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250919-wdq8vswpz6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/129185f7-108f-4c9c-8bc1-195819e44ce2
Unpacked files
SH256 hash:
71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976
MD5 hash:
269d9cbb3424b1570f873e8227b50c91
SHA1 hash:
f8c9d496eaf360127c9809aca9c679355e2063be
Link:
https://www.unpac.me/results/443bbb50-f295-4526-b8af-5d582576c389/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/71f4b177ab5d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 71f4b177ab5dbf844397591deda7cbb750b4fc3dda07c10f41ee3d7615278976

(this sample)

  
Link
https://tria.ge/250919-vdcj2asvgv/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28371/

Comments