MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4
SHA3-384 hash: 9d96622adf3eaa8d96f5fbf1e4e0a67c1223d75e7e6d8b2414e261ae7f63a8bc2e1981b4c22d49f2d203e0cae3231ee3
SHA1 hash: aecaac7ae8cfa5d9d08586ebcb74f06116b14c90
MD5 hash: 3f011c475974d3e7db4b0f9a3ee25d9f
humanhash: pizza-kansas-tennis-oxygen
File name:DropCheats.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'047'808 bytes
First seen:2025-06-07 13:14:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d746b91e1e57b358f148ed3374f0079 (41 x Rhadamanthys)
ssdeep 98304:ZyoVv2+gHclhijSieoI1s2PX9tRTjGbyQlRdZ7wCgXFrgp7LiXZMjGMY4L:ZB++wcKjSi81T9pQ9Z0CgX29IOSMY4L
Threatray 138 similar samples on MalwareBazaar
TLSH T15A363349A8C159DDEA807BB58919FEED7AFD2AB84224CE2DA42172DBDC3354C5370343
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter aachum
Tags:180-178-189-34 213-209-150-104 exe Rhadamanthys


Avatar
iamaachum
https://www.youtube.com/watch?v=Ny--k8ydsZ8 => https://dropcheats.net/download/?game=Fortnite => https://www.mediafire.com/file/63fy085bq3wfrkp/DropCheats.zip/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DropCheats.exe
Verdict:
Malicious activity
Analysis date:
2025-06-07 13:17:58 UTC
Tags:
stealer rhadamanthys shellcode loader
Link:
https://app.any.run/tasks/3892f369-c952-4bb2-944b-4dfec00346f6

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/7884/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.23524.22673.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68443b9b8bd5d68a12e64607
Tags:
vmprotect virus agent
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed packed packer_detected
Link:
https://www.filescan.io/uploads/68443b61171e01f95938ff23/reports/1e25aa0e-a75e-41a3-ac01-dcbd53f66d21/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8e330faa-6ef6-4f5e-ab75-8424c48e2a41
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1708872
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Creates an undocumented autostart registry key
Deletes itself after installation
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1708872 Sample: DropCheats.exe Startdate: 07/06/2025 Architecture: WINDOWS Score: 100 107 time.google.com 2->107 109 time.facebook.com 2->109 111 5 other IPs or domains 2->111 129 Multi AV Scanner detection for dropped file 2->129 131 Multi AV Scanner detection for submitted file 2->131 133 Yara detected RHADAMANTHYS Stealer 2->133 135 5 other signatures 2->135 12 DropCheats.exe 2->12         started        15 msedge.exe 97 368 2->15         started        18 cmd.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 153 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->153 155 Switches to a custom stack to bypass stack traces 12->155 22 OpenWith.exe 12->22         started        127 239.255.255.250 unknown Reserved 15->127 26 msedge.exe 15->26         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        32 msedge.exe 15->32         started        34 conhost.exe 18->34         started        36 schtasks.exe 18->36         started        signatures6 process7 dnsIp8 113 180.178.189.34, 49694, 49729, 49730 GALAXY-AS-APGalaxyBroadbandPK Pakistan 22->113 141 Deletes itself after installation 22->141 143 Switches to a custom stack to bypass stack traces 22->143 38 OpenWith.exe 8 22->38         started        115 s-part-0029.t-0009.t-msedge.net 13.107.246.57, 443, 49720, 49721 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->115 117 ax-0002.ax-msedge.net 150.171.27.11, 443, 49713, 49733 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->117 119 8 other IPs or domains 26->119 signatures9 process10 dnsIp11 121 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 38->121 123 ntp.time.nl 94.198.159.10 SIDNNL Netherlands 38->123 125 5 other IPs or domains 38->125 93 C:\Users\user\AppData\Local\...\Ztan.exe, PE32 38->93 dropped 95 C:\Users\user\AppData\Local\...\39[PG.exe, PE32+ 38->95 dropped 145 Early bird code injection technique detected 38->145 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 38->147 149 Tries to steal Mail credentials (via file / registry access) 38->149 151 7 other signatures 38->151 43 39[PG.exe 38->43         started        47 Ztan.exe 38->47         started        49 wmplayer.exe 38->49         started        51 5 other processes 38->51 file12 signatures13 process14 file15 97 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 43->97 dropped 157 Query firmware table information (likely to detect VMs) 43->157 159 Modifies windows update settings 43->159 161 Adds a directory exclusion to Windows Defender 43->161 173 2 other signatures 43->173 53 powershell.exe 43->53         started        56 powershell.exe 43->56         started        58 powershell.exe 43->58         started        71 15 other processes 43->71 99 C:\ProgramData\...\UserOOBEBroker.exe, PE32 47->99 dropped 163 Multi AV Scanner detection for dropped file 47->163 165 Detected unpacking (changes PE section rights) 47->165 167 Creates an undocumented autostart registry key 47->167 60 cmd.exe 47->60         started        62 cmd.exe 47->62         started        169 Writes to foreign memory regions 49->169 171 Allocates memory in foreign processes 49->171 64 chrome.exe 51->64         started        67 msedge.exe 51->67         started        69 chrome.exe 51->69         started        signatures16 process17 dnsIp18 137 Loading BitLocker PowerShell Module 53->137 73 conhost.exe 53->73         started        75 conhost.exe 56->75         started        77 conhost.exe 58->77         started        139 Uses schtasks.exe or at.exe to add and modify task schedules 60->139 85 2 other processes 60->85 87 2 other processes 62->87 101 googlehosted.l.googleusercontent.com 142.250.114.132, 443, 49706, 49708 GOOGLEUS United States 64->101 103 127.0.0.1 unknown unknown 64->103 105 clients2.googleusercontent.com 64->105 79 net.exe 71->79         started        81 conhost.exe 71->81         started        83 conhost.exe 71->83         started        89 13 other processes 71->89 signatures19 process20 process21 91 net1.exe 79->91         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4/
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2025-06-07 13:15:16 UTC
File Type:
PE (Exe)
AV detection:
20 of 24 (83.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxiqdatojelvop5jix5ez3qc42vknny6ohecx222s3cnbsjrf2sa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
095b0a89ef2484e672af40ae72288ac65151d637351d9a1dcebbbf048138d46e
Rhadamanthys
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Rhadamanthys
50cd136e622549f640a06120c22c47fb566c4555be8d94fa6740af74b9db489e
Rhadamanthys
6136c6fc5919bc7e677e087f3616830d25d993f366bd9bfbf5a1a28f1285a438
Rhadamanthys
64b5ab61bf52abbad72621534950c673c3a58589088ac471ce50795cf406eab9
Rhadamanthys
8e3fdb3882dcbe771400e696f7f66480960c46b42f95cc49edd00edb252c9c26
Rhadamanthys
8f7bd69ee6113b7d92af4e393bc2d1acee4531f10691c0d1c7aab15f19f424e6
Rhadamanthys
a2f1fa7763b8c5a8b4a79e63262f6b8bcdd7e019ac86bfc9b95f0422a874047d
Rhadamanthys
c2e99b8ec6f48cd608d399db524711f08275477f9959c9e962b8175aaf3627b2
Rhadamanthys
error
Rhadamanthys
f7617b6a8a0e8b04a01abb036a9749675f31b530ee1c6da54029611ab6a1aa11
Rhadamanthys
+ 128 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250607-qhah1san7z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/66b331a7-02c5-446a-8fe0-22614c3bed3a
Unpacked files
SH256 hash:
85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4
MD5 hash:
3f011c475974d3e7db4b0f9a3ee25d9f
SHA1 hash:
aecaac7ae8cfa5d9d08586ebcb74f06116b14c90
Link:
https://www.unpac.me/results/660de6e6-5b6a-4a42-956e-0c9917d8f830/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 85d101826e4917573fa945fa4cee02e6aaa6b71e71c82beb5a96c4d0c9312ea4

(this sample)

  
Link
https://tria.ge/250607-p2s9ssal6z/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/7884/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA

Comments