MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33
SHA3-384 hash: 3bd07c456e91c32eba56f19dfaa7a31c6e485ce318e4af8a9bb10e4b2cf4a7c5507ccf44160706f1d8f565878c69d97a
SHA1 hash: ccf389870501ef6a66d6ec3e9015f8a608233adf
MD5 hash: fb66b5effae3c4fd8952ff7a12e55030
humanhash: river-idaho-king-coffee
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:98'585'425 bytes
First seen:2025-07-23 17:48:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:V7P76KHamlmufQ6fLFc3gp9ddxTm9nI4xtwI+vbDPwQ8i14Nt1gqcIOJt:VnaOfLFtXdm9vxWIcLvl14NtAJt
Threatray 184 similar samples on MalwareBazaar
TLSH T11B2823DABB18436DC6D70A8750823967F6377AF0F18062C0B4B7A635226F6C6A53D1F1
TrID 37.3% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
15.9% (.EXE) Win32 Executable (generic) (4504/4/1)
7.3% (.ICL) Windows Icons Library (generic) (2059/9)
7.2% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
dhash icon 8e0daea2a6a6a2be (2 x Rhadamanthys)
Reporter aachum
Tags:45-153-34-245 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://filedlx.store/?p=1085&enHash=obDjMUyOhp6H => https://mega.nz/file/L5wxWZDC#DVaQDgYXOC2A_NQzBQnhmgibjqOYPbnC6bhFO8HVYqk

Intelligence

File Origin
# of uploads :
1
# of downloads :
1'180
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-23 17:16:11 UTC
Tags:
autoit stealer websocket rhadamanthys shellcode
Link:
https://app.any.run/tasks/5c94fa8c-7b70-4517-b9fc-111de866a406

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688118fd2f623871a5f284a4
Tags:
autoit emotet nsis
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Launching cmd.exe command interpreter
Creating a process with a hidden window
Moving a file to the %temp% directory
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole expired-cert installer invalid-signature microsoft_visual_cc overlay overlay packed signed
Link:
https://www.filescan.io/uploads/688120ab8a7d628a81bf8fe5/reports/af7678e4-e343-4c75-93c5-db3e3a30cd1b/overview
Verdict:
Malicious
Labled as:
TrojanDownloader.NSIS
Link:
https://www.hybrid-analysis.com/sample/878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1742940
Signature
C2 URLs / IPs found in malware configuration
Detected potential unwanted application
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Autoit
Link:
https://tip.neiki.dev/file/878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-07-23 17:16:13 UTC
File Type:
PE (Exe)
Extracted files:
24
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6h7fm6nxiskg5oszwfi2w2mdoudafmc55dafvw353dgqo67nmzq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
280c766b56a8d5ae804d40c9f916593fb1b834e7b31ecf84cf85b6f28b866bad
Rhadamanthys
31c73da21862c01ecb0756a853404ea93ddf1db86ce2a6cb52ccd0ce1cfd01c3
Rhadamanthys
878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33
Rhadamanthys
ad8d2d36547bb6c3fd44a137948dae585b9c66f7f3e6c36adcb0fd1f6a130a37
Rhadamanthys
b351419f415c5a1cf8d9b7abb0e28a1b13eca67c7e23f50d5c519cf7424bef10
Rhadamanthys
d2e01156051ad7112d93eb59632df9e67c20f32c09ace834e21746bef13dfd7e
Rhadamanthys
e0a7d335923c17e8aa3a9d2a2470eab4c0c702fee4bc7ac68b8132ea3a8e9be7
Rhadamanthys
error
Rhadamanthys
+ 174 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250723-wd9efazqx4/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9a84a4a3-e853-4d16-87bb-27d966b23456
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 878ff2b3cdba24a375d2cd8a8d5b4c1ba8301582ef4602d6dbeec6683bdf6b33

(this sample)

  
Link
https://tria.ge/250723-vn4fhahm2z
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments