MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 17

Intelligence 17 IOCs YARA 9 File information Comments

SHA256 hash:	8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d
SHA3-384 hash:	a0112b834ce45bacd56b478cdcf1b5746be494d604b3df8ec6cf4c626f2fd58f1e2ea1a6ca0b496c14ab44d5f1ba1978
SHA1 hash:	004fb74b0885c2be7fb64643f59dba7119577609
MD5 hash:	7eef52b6b73bdb486d0031152edb7e1f
humanhash:	jupiter-river-ack-oregon
File name:	file
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'023'488 bytes
First seen:	2025-09-11 04:01:12 UTC
Last seen:	2025-09-12 04:04:34 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c9391c4d011b74463c0b80c8ef62af14 (4 x LummaStealer, 2 x Rhadamanthys, 1 x NanoCore)
ssdeep	24576:y7WfF3nHO7mxfg+fMRrQ6Sg31JORCwDWEosdlY:y7WZe6fTkR8p4wxFlY
Threatray	69 similar samples on MalwareBazaar
TLSH	T1AB250202F1F390B3F653A5F02A38DA64182DEA73AF344DDB2054F2741AA59D3177266B
TrID	49.9% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.6% (.EXE) OS/2 Executable (generic) (2029/13) 9.5% (.EXE) Generic Win/DOS Executable (2002/3) 9.4% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
Reporter	Bitsight
Tags:	dropped-by-amadey exe Rhadamanthys

Bitsight

url: http://178.16.54.200/files/174733404/PsCMIRi.exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

18c40d5945e473ceca15c342f8c438103db100c38401a647caa431b33efe2203.exe

Verdict:

Malicious activity

Analysis date:

2025-09-11 01:55:31 UTC

Tags:

amadey auto redline stealer botnet lumma loader arch-exec telegram anti-evasion stealc vidar coinminer miner rdp purelogs themida gcleaner auto-reg

Link:

https://app.any.run/tasks/c601cc6a-bf41-4a07-b01b-5c1114b8b687

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26799/

Verdict:

Malicious

Score:

70%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68c249b3b20052598879a335

Tags:

cobalt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

amadey crypt keylogger microsoft_visual_cc packed rhadamanthys unsafe

Link:

https://www.filescan.io/uploads/68c249b10d1238ff0aa9d44e/reports/085b1214-9735-4a0b-a76d-e24ae76d8fed/overview

Verdict:

Malicious

Labled as:

Lazy.Generic

Link:

https://www.hybrid-analysis.com/sample/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-09-10T20:23:00Z UTC

Last seen:

2025-09-10T20:23:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Crypt.kb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb

Link:

https://opentip.kaspersky.com/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/70e3ec41-e678-4cf5-9826-82f298378026

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d/

Verdict:

Malicious

Threat:

Family.LUMMA

Link:

https://tip.neiki.dev/file/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

Threat name:

Win32.Trojan.LummaStealer

Status:

Malicious

First seen:

2025-09-10 16:12:31 UTC

File Type:

PE (Exe)

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qztndg3aha2kr6ccvbx23w57bwfo5qad74fqcuwp6td756jwk46q._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

81c17b483fc9c5fcce9f9433b8679a19eae9cf3a46a7d5f6cac714f58f7e0ab9

Rhadamanthys

8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

Rhadamanthys

a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919

Rhadamanthys

ea90b2b47e8d066d16c597cc1db8d77734d2ed209835e836f5aaa0c6dc2d5c93

Rhadamanthys

error

Rhadamanthys

fdfbc1ca939418ba3fe30ef9daca82ae843fec06997f3a21d70aeb9c18f997b6

Rhadamanthys

+ 59 additional samples on MalwareBazaar

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery stealer

Link:

https://tria.ge/reports/250911-ellvnsysev/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Deletes itself

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects Rhadamanthys Payload

Rhadamanthys

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/2d0d542b-31dd-4589-9c33-15c25d3fb964

Unpacked files

SH256 hash:

8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

MD5 hash:

7eef52b6b73bdb486d0031152edb7e1f

SHA1 hash:

004fb74b0885c2be7fb64643f59dba7119577609

Link:

https://www.unpac.me/results/8c62a1c0-efef-4213-9ac3-437a38b24fa0/

SH256 hash:

8855a86d2276a92e2dc38f1ce3ae709b93caba530ce75f31808c6cb0589c6395

MD5 hash:

329d6f6c5ac81e4b5d59f5ce0428e04e

SHA1 hash:

61494e8baf3cfcc7b81fc0f95e37653f4afa5b48

Link:

https://www.unpac.me/results/8c62a1c0-efef-4213-9ac3-437a38b24fa0/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/8666d19b6038/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8666d19b603834a8f842a86faddbbf0d8aeec003ff0b0152cff4c7fef936573d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	HUNTING_SUSP_TLS_SECTION Create hunting rule
Author:	chaosphere
Description:	Detect PE files with .tls section that can be used for anti-debugging
Reference:	Practical Malware Analysis - Chapter 16

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	NET Create hunting rule
Author:	malware-lu

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)