MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 18


Intelligence 18 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
SHA3-384 hash: 31d325724c3a926c951cbd9149979948e2b371e51fbbf8bdb65ecbaad6c47148d21eee4a8412889ae8155bda238100eb
SHA1 hash: 2c67cf6ef47b3dae6270e51674fe33e7377f95c2
MD5 hash: b9f4c9f4fdf14853502a819767b0673c
humanhash: undress-enemy-blue-timing
File name:ZamICay.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'163'776 bytes
First seen:2025-08-30 14:52:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 27ee01714f066de2a140a2dc07425e8f (2 x Rhadamanthys)
ssdeep 24576:Ll6EAk5oWl96SHOMvh0fRXmF5pATJIncu75SO5pLk2dcFAyuWh8vGbz0:0vWaPMZCpijATJIcuVjxXu2yuWhMGbz0
Threatray 1 similar samples on MalwareBazaar
TLSH T10C350202F483D077F66721B0162DD528582FEEA34B245DD763C8EA784974EE21F3662B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
9b55f6144b096d141be338f36ad10386818e04ed8166899fbb3de0ac3f53b51c.zip
Verdict:
Malicious activity
Analysis date:
2025-08-30 11:23:00 UTC
Tags:
auto amadey botnet arch-exec redline stealer rdp loader gcleaner telegram lumma evasion purecrypter generic themida autoit phishing ms-smartcard stealc upx susp-powershell salatstealer golang delphi miner purehvnc netreactor rust
Link:
https://app.any.run/tasks/9564dea8-e1a9-4924-aef7-5eb271adb6a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24274/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b31086eb163e0ec18329d3
Tags:
cobalt virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68b3112f39a6221faa766a68/reports/3a1daf86-601a-4080-8705-0b9be26ba07b/overview
Verdict:
Malicious
Labled as:
Giant.Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-29T13:22:00Z UTC
Last seen:
2025-08-29T13:22:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Injuke.pbgh PDM:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan.Win32.Crypt.sb VHO:Trojan.Win32.Injuke.gen
Link:
https://opentip.kaspersky.com/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/ae45b0c5-ac35-4763-83a2-4c7a143c0a31
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768172
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Early bird code injection technique detected
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768172 Sample: ZamICay.exe Startdate: 30/08/2025 Architecture: WINDOWS Score: 100 60 twc.trafficmanager.net 2->60 62 time.windows.com 2->62 64 4 other IPs or domains 2->64 92 Multi AV Scanner detection for submitted file 2->92 94 Yara detected RHADAMANTHYS Stealer 2->94 10 ZamICay.exe 2->10         started        13 msedge.exe 364 2->13         started        16 elevation_service.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 108 Found many strings related to Crypto-Wallets (likely being stolen) 10->108 110 Found stalling execution ending in API Sleep call 10->110 112 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->112 114 Switches to a custom stack to bypass stack traces 10->114 20 OpenWith.exe 10->20         started        74 192.168.2.7, 123, 138, 443 unknown unknown 13->74 76 239.255.255.250 unknown Reserved 13->76 24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        30 msedge.exe 13->30         started        signatures6 process7 dnsIp8 66 92.63.197.198, 49691, 49734, 49735 NOVOGARA-ASNL Russian Federation 20->66 100 Query firmware table information (likely to detect VMs) 20->100 102 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 20->102 104 Deletes itself after installation 20->104 106 3 other signatures 20->106 32 dllhost.exe 6 20->32         started        68 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49714, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->68 70 ln-0007.ln-msedge.net 150.171.22.17, 443, 49708, 49709 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->70 72 9 other IPs or domains 24->72 signatures9 process10 dnsIp11 54 ntp.time.nl 94.198.159.10, 123, 64439 SIDNNL Netherlands 32->54 56 ntp.nict.jp 133.243.238.163, 123, 64439 NICTNationalInstituteofInformationandCommunicationsTe Japan 32->56 58 4 other IPs or domains 32->58 84 Early bird code injection technique detected 32->84 86 Found many strings related to Crypto-Wallets (likely being stolen) 32->86 88 Tries to harvest and steal browser information (history, passwords, etc) 32->88 90 2 other signatures 32->90 36 wmprph.exe 32->36         started        39 chrome.exe 32->39         started        41 msedge.exe 15 32->41         started        43 chrome.exe 32->43         started        signatures12 process13 signatures14 96 Writes to foreign memory regions 36->96 98 Allocates memory in foreign processes 36->98 45 dllhost.exe 36->45         started        47 chrome.exe 39->47         started        50 chrome.exe 39->50         started        52 msedge.exe 41->52         started        process15 dnsIp16 78 googlehosted.l.googleusercontent.com 142.250.65.225, 443, 49701, 49702 GOOGLEUS United States 47->78 80 127.0.0.1 unknown unknown 47->80 82 clients2.googleusercontent.com 47->82
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b9f4c9f4fdf14853502a819767b0673c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
Threat name:
Win32.Trojan.Nekark
Create hunting rule
Status:
Malicious
First seen:
2025-08-29 17:47:13 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rf5orypcy2xzotm37ubees53usyvmrpg4j46miohiuud4bgruuca._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
Rhadamanthys
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250830-sa76esbn9t/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9c745b9a-33cc-46db-aa77-36f4f971e832
Unpacked files
SH256 hash:
897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504
MD5 hash:
b9f4c9f4fdf14853502a819767b0673c
SHA1 hash:
2c67cf6ef47b3dae6270e51674fe33e7377f95c2
Link:
https://www.unpac.me/results/2f25d239-6ba7-4542-8a49-b1608f001788/
SH256 hash:
8855a86d2276a92e2dc38f1ce3ae709b93caba530ce75f31808c6cb0589c6395
MD5 hash:
329d6f6c5ac81e4b5d59f5ce0428e04e
SHA1 hash:
61494e8baf3cfcc7b81fc0f95e37653f4afa5b48
Link:
https://www.unpac.me/results/2f25d239-6ba7-4542-8a49-b1608f001788/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/897ae8e1e2c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 897ae8e1e2c6af974d9bfd02424bbba4b15645e6e279e621c745283e04d1a504

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3611620/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24274/

Comments