MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 12

Intelligence 12 IOCs YARA 6 File information Comments

SHA256 hash:	7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd
SHA3-384 hash:	80943115c4e6d99b3af256bab4f89d245a302579537bb5768abbacb3baf7f06bea4ff62b4d2eeca6be0e01a2cae3f6fc
SHA1 hash:	863b157e88763964fe50319e7bb07f4bba196eca
MD5 hash:	08036a46c2f98b0e5b9ebc3449f32ba6
humanhash:	emma-lion-grey-princess
File name:	SecuriteInfo.com.Win64.Evo-gen.28348.23036
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'756'672 bytes
First seen:	2025-07-09 06:19:57 UTC
Last seen:	2025-07-09 07:16:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	b87d8762e3d5bd13d9e6297f5a640b1d (5 x LummaStealer, 3 x Rhadamanthys, 1 x Stealc)
ssdeep	49152:jTHQUdBG0+8qURWJUA377d1sntPK377d1sntP:ZV+8AJx7Kt67Kt
Threatray	190 similar samples on MalwareBazaar
TLSH	T12185E0385191A2D6FC76407A44A22699B472B333C23D2FFF91A4D337AE176C40F6A359
TrID	63.5% (.EXE) Win64 Executable (generic) (10522/11/4) 12.2% (.EXE) OS/2 Executable (generic) (2029/13) 12.0% (.EXE) Generic Win/DOS Executable (2002/3) 12.0% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	SecuriteInfoCom
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

bomb.exe

Verdict:

Malicious activity

Analysis date:

2025-07-09 11:31:19 UTC

Tags:

auto coinminer miner loader hausbomber ipfs phishing massbass github lumma stealer screenconnect rmm-tool amadey payload reverseloader ta558 apt stegocampaign botnet smoke purelogs purecrypter bittorrent mozi remote rdp purehvnc netreactor upx xmrig irc exfiltration pyinstaller gcleaner metasploit delphi rat remcos susp-lnk blackmoon webdav vmprotect arch-doc xworm donutloader evasion plugx snake keylogger telegram masslogger aurotunstealer neshta generic

Link:

https://app.any.run/tasks/2cf871ef-dc16-401a-939b-e3fe5dd544c3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13629/

Verdict:

Malicious

Score:

96.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=686e0a31900df8e7f868de44

Tags:

spoof virus zusy

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Detecting VM

Connecting to a non-recommended domain

Connection attempt

Sending a custom TCP request

DNS request

Sending a UDP request

Reading critical registry keys

Searching for the window

Launching a process

Launching the default Windows debugger (dwwin.exe)

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Labled as:

Zusy.Generic

Link:

https://www.hybrid-analysis.com/sample/7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/e99510a4-01a5-4ef1-a685-aa6a015b5042

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) Win 64 Exe x64

Link:

https://app.malva.re/file/08036a46c2f98b0e5b9ebc3449f32ba6

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd/

Threat name:

Win64.Trojan.Amadey

Status:

Suspicious

First seen:

2025-07-09 03:12:04 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

22 of 38 (57.89%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=pwpupdncbjwnfwh4xp7cr35wnlxqpwcnazbjx5ineytm55z5m7oq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

01bac2c953118ee7b71b6a4985750b930992cb33e387e7d4ed96c88a2fcb1e23

Rhadamanthys

072a6463f71cf233bcb0dd40bb572a1df620b0dbb7aa36fc84410790c032ff8d

Rhadamanthys

1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55

Rhadamanthys

3a52d91b4d116a614f2a76d7fd58b88c086f28375942368c8b913796000a43db

Rhadamanthys

48a53f98414985216dbe0c501bb8e07f83b97a46f0a855ca434620e46674ee99

Rhadamanthys

5bc044ef951c5095e4b7c094df6e54b19dfaafcd148583bb694625b7a0900f1c

Rhadamanthys

90368efed1cb835dcb06176b71d5309dc4c46e414812013ecfc72178ba8498d3

Rhadamanthys

ec1194bfa4b73c67ddf3996b3d29206edfe8f4308cadbf160ba9d2d37ecbc6aa

Rhadamanthys

error

Rhadamanthys

f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3

Rhadamanthys

+ 180 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/250709-g3yxnstzht/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c18e85a7-effa-4b92-91a6-6189deef97a9

Unpacked files

SH256 hash:

7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

MD5 hash:

08036a46c2f98b0e5b9ebc3449f32ba6

SHA1 hash:

863b157e88763964fe50319e7bb07f4bba196eca

Link:

https://www.unpac.me/results/8ed0c4c8-2cc8-49e0-bd2e-07e083028e56/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe 7d9f478da20a6cd2d8fcbbfe28efb66aef07d84d06429bf50d2626cef73d67dd

(this sample)

Cape

https://www.capesandbox.com/analysis/13629/

URLhaus

https://urlhaus.abuse.ch/url/3579357/

Delivery method

Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryExW KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::FreeConsole KERNEL32.dll::ReadConsoleW KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleMode KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample