MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
SHA3-384 hash: bb9e4cca29807436ed600a01a72f7c095360098f72b6c18fbf275ff7a6e0595b8c5b59a0be96a5c1b976030e9f3f2b45
SHA1 hash: ce768d339763d5bed63e936c195fbc74bd2743fd
MD5 hash: 10e69467668bfb44014054e97b610909
humanhash: glucose-idaho-uranus-king
File name:PassatHook.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'405'256 bytes
First seen:2025-07-30 18:38:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e07647ab48d4be367afc7221135c1e04 (12 x Rhadamanthys)
ssdeep 196608:fZ+050hjsnN1uz273QNwhrzod1FPRkgcc65nfU02WHAS:B+y0ZsnN1ua73QNwZUd1DGc6+wAS
TLSH T12CA6338B68DF81F9EAC40570C61B9EDF33F3169B0C5048286DC5BCC6A966F72B076991
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PassatHook.exe
Verdict:
Malicious activity
Analysis date:
2025-07-30 18:38:59 UTC
Tags:
rhadamanthys shellcode
Link:
https://app.any.run/tasks/ec143a45-cd3a-4e0f-895a-e22ee18f84d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17837/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688a66e90b4775fb2133c30e
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature obfuscated packed packed packer_detected signed
Link:
https://www.filescan.io/uploads/688a66e5c79df08ef098a97e/reports/7a0e1ca4-8aa3-4e7b-9054-6ea727f7e361/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f547a495-e185-4b5a-ae46-5f4770957d71
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747289
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747289 Sample: PassatHook.exe Startdate: 30/07/2025 Architecture: WINDOWS Score: 100 92 x.ns.gin.ntt.net 2->92 94 ntp1.net.berkeley.edu 2->94 96 6 other IPs or domains 2->96 116 Antivirus detection for dropped file 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Yara detected RHADAMANTHYS Stealer 2->120 122 7 other signatures 2->122 12 PassatHook.exe 2->12         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 9 other processes 2->19 signatures3 process4 signatures5 148 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 12->150 152 Switches to a custom stack to bypass stack traces 12->152 21 OpenWith.exe 12->21         started        154 Changes security center settings (notifications, updates, antivirus, firewall) 15->154 25 conhost.exe 17->25         started        27 schtasks.exe 17->27         started        process6 dnsIp7 106 xmas-song-dungeon.world 104.37.175.226, 1888, 49725, 49741 MAJESTIC-HOSTING-01US United States 21->106 108 cloudflare-dns.com 104.16.249.249, 443, 49724, 49740 CLOUDFLARENETUS United States 21->108 140 Query firmware table information (likely to detect VMs) 21->140 142 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->142 144 Deletes itself after installation 21->144 146 3 other signatures 21->146 29 dllhost.exe 5 21->29         started        signatures8 process9 dnsIp10 110 xmas-song-dungeon.world 29->110 112 ntp1.net.berkeley.edu 169.229.128.134, 123, 62082 UCBUS United States 29->112 114 7 other IPs or domains 29->114 88 C:\Users\user\AppData\...\uDFtxP-ENf.exe, PE32 29->88 dropped 90 C:\Users\user\AppData\Local\...\Bc8J6b-.exe, PE32+ 29->90 dropped 160 System process connects to network (likely due to code injection or exploit) 29->160 162 Early bird code injection technique detected 29->162 164 Found many strings related to Crypto-Wallets (likely being stolen) 29->164 166 3 other signatures 29->166 34 Bc8J6b-.exe 9 2 29->34         started        38 wmpnscfg.exe 29->38         started        40 uDFtxP-ENf.exe 29->40         started        42 2 other processes 29->42 file11 signatures12 process13 file14 84 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 34->84 dropped 124 Query firmware table information (likely to detect VMs) 34->124 126 Modifies windows update settings 34->126 128 Adds a directory exclusion to Windows Defender 34->128 138 2 other signatures 34->138 44 cmd.exe 1 34->44         started        47 powershell.exe 34->47         started        49 cmd.exe 34->49         started        62 14 other processes 34->62 130 Writes to foreign memory regions 38->130 132 Allocates memory in foreign processes 38->132 51 dllhost.exe 38->51         started        86 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 40->86 dropped 134 Antivirus detection for dropped file 40->134 54 cmd.exe 40->54         started        56 cmd.exe 40->56         started        136 Found many strings related to Crypto-Wallets (likely being stolen) 42->136 58 chrome.exe 42->58         started        60 chrome.exe 42->60         started        signatures15 process16 dnsIp17 156 Uses schtasks.exe or at.exe to add and modify task schedules 44->156 64 net.exe 1 44->64         started        66 conhost.exe 44->66         started        158 Loading BitLocker PowerShell Module 47->158 68 conhost.exe 47->68         started        70 WmiPrvSE.exe 47->70         started        76 2 other processes 49->76 98 45.141.233.252, 44133, 49746, 49751 ASDETUKhttpwwwheficedcomGB Bulgaria 51->98 72 conhost.exe 54->72         started        74 schtasks.exe 54->74         started        78 2 other processes 56->78 100 192.168.2.4, 123, 138, 1888 unknown unknown 58->100 102 www.google.com 142.250.176.4, 443, 49739 GOOGLEUS United States 58->102 104 3 other IPs or domains 58->104 80 15 other processes 62->80 signatures18 process19 process20 82 net1.exe 1 64->82         started       
Score:
89%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/10e69467668bfb44014054e97b610909
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-07-30 13:52:24 UTC
File Type:
PE (Exe)
AV detection:
27 of 38 (71.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rcuyg5rzdadkpxq4wh5gi5zb3iugvift4nf2rokdvvoddj6xqaaq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250730-xavmjsdj9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e32a89ec-845c-4c85-a03c-61a846fb935c
Unpacked files
SH256 hash:
88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
MD5 hash:
10e69467668bfb44014054e97b610909
SHA1 hash:
ce768d339763d5bed63e936c195fbc74bd2743fd
Link:
https://www.unpac.me/results/1cfe3224-9694-4549-91ae-ce7d29774601/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/88a983763918/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17837/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW

Comments