MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 18


Intelligence 18 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f
SHA3-384 hash: 00ea6173099d4c0f60d194e381bcb7269a81339c206d7b1759043ee3521f4a9688a55fe3b4dbd0df3bb3cf080505a50f
SHA1 hash: 6e9ecfcf2bd1e1553c6184dcd08066203c2b327c
MD5 hash: 57bb5f5611a5ec958ce9358b49c2d8bc
humanhash: emma-lamp-nevada-venus
File name:Rampage.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:171'520 bytes
First seen:2025-10-06 20:23:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 23aa6ede111f6ac860a5e9008f9b9673 (22 x Rhadamanthys, 4 x DonutLoader, 3 x CoinMiner)
ssdeep 3072:WE3LoiohzgBlfhsoXF2EvKLQYvjj06C6rLqJ/rb/CiZPH9oqSPQ1j0t:WE3Loioh8BlmWMEvKU4rVqJBHMPWK
Threatray 646 similar samples on MalwareBazaar
TLSH T15DF36C4773A420F9E1B7C279C9920A46E7B2782507619BDF03B047BA5F236D09D3EB61
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:CoinMiner exe Rhadamanthys stealer XMRIG

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
US US
Vendor Threat Intelligence
Malware family:
xmrig
Create hunting rule
ID:
1
File name:
Rampage.exe
Verdict:
Malicious activity
Analysis date:
2025-10-06 20:22:07 UTC
Tags:
loader anti-evasion winring0-sys vuln-driver xmrig miner stealer
Link:
https://app.any.run/tasks/d60d52e2-2c97-467c-8234-2806e3659431

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30871/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e42550277c2bd8bc5d0e3a
Tags:
dropper spoof shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Creating a process with a hidden window
Creating a file in the %temp% directory
Running batch commands
Сreating synchronization primitives
Searching for the window
Using the Windows Management Instrumentation requests
Launching a process
Connection attempt
Sending a custom TCP request
Forced system process termination
DNS request
Connection attempt to an infection source
Launching a file downloaded from the Internet
Launching a tool to kill processes
Sending an HTTP GET request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm base64 fingerprint microsoft_visual_cc obfuscated
Link:
https://www.filescan.io/uploads/68e42587d4a0085473c1ed35/reports/d791e3d6-7ea3-40f9-aaec-242b1619fbd7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-06T17:59:00Z UTC
Last seen:
2025-10-07T10:20:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/73f6a70a-876a-494f-88e6-78e09bfebb9d
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1790195
Signature
Adds a directory exclusion to Windows Defender
AI detected malicious Powershell script
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sample is not signed and drops a device driver
Sigma detected: Potential Crypto Mining Activity
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Xmrig
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1790195 Sample: Rampage.exe Startdate: 06/10/2025 Architecture: WINDOWS Score: 100 96 pool.supportxmr.com 2->96 98 pool-nyc.supportxmr.com 2->98 106 Sigma detected: Xmrig 2->106 108 Suricata IDS alerts for network traffic 2->108 110 Malicious sample detected (through community Yara rule) 2->110 112 9 other signatures 2->112 10 Rampage.exe 17 2->10         started        15 core.exe 2->15         started        17 FolderBP.exe 2 2->17         started        19 3 other processes 2->19 signatures3 process4 dnsIp5 104 176.46.152.62, 49690, 49691, 5858 ESTPAKEE Iran (ISLAMIC Republic Of) 10->104 86 C:\Users\user\AppData\Local\...\nbgtpasrg.exe, PE32+ 10->86 dropped 88 c8d7af13171946fdaa...rypted_build[1].exe, PE32+ 10->88 dropped 90 C:\Users\user\AppData\...\dadaasads_new.ps1, ASCII 10->90 dropped 126 Suspicious powershell command line found 10->126 128 Bypasses PowerShell execution policy 10->128 21 powershell.exe 21 10->21         started        24 nbgtpasrg.exe 16 10->24         started        92 C:\Users\user\AppData\...\audiodgsvc.exe, PE32+ 15->92 dropped 94 C:\Users\user\AppData\...\WinRing0x64.sys, PE32+ 15->94 dropped 130 Uses schtasks.exe or at.exe to add and modify task schedules 15->130 132 Sample is not signed and drops a device driver 15->132 27 audiodgsvc.exe 15->27         started        29 schtasks.exe 15->29         started        31 schtasks.exe 15->31         started        33 conhost.exe 15->33         started        134 Adds a directory exclusion to Windows Defender 17->134 35 powershell.exe 23 17->35         started        37 WerFault.exe 2 19->37         started        39 2 other processes 19->39 file6 signatures7 process8 dnsIp9 114 Found suspicious powershell code related to unpacking or dynamic code loading 21->114 41 AppInstaller.exe 2 21->41         started        44 AppInstaller.exe 21->44         started        46 conhost.exe 21->46         started        100 176.46.152.80 ESTPAKEE Iran (ISLAMIC Republic Of) 24->100 116 Found direct / indirect Syscall (likely to bypass EDR) 24->116 48 conhost.exe 24->48         started        50 WerFault.exe 2 24->50         started        102 104.243.33.118 RELIABLESITEUS United States 27->102 118 Antivirus detection for dropped file 27->118 120 Multi AV Scanner detection for dropped file 27->120 122 Query firmware table information (likely to detect VMs) 27->122 52 conhost.exe 29->52         started        54 conhost.exe 31->54         started        124 Loading BitLocker PowerShell Module 35->124 56 conhost.exe 35->56         started        58 WmiPrvSE.exe 35->58         started        signatures10 process11 file12 84 C:\Users\user\AppData\Local\Temp\cmstp.inf, Windows 41->84 dropped 60 cmd.exe 1 41->60         started        62 cmd.exe 41->62         started        64 cmstp.exe 8 7 41->64         started        66 conhost.exe 41->66         started        68 cmd.exe 44->68         started        70 cmd.exe 44->70         started        72 conhost.exe 44->72         started        74 cmstp.exe 44->74         started        process13 process14 76 taskkill.exe 1 60->76         started        78 taskkill.exe 62->78         started        80 taskkill.exe 68->80         started        82 taskkill.exe 70->82         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/57bb5f5611a5ec958ce9358b49c2d8bc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f
Threat name:
Win64.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-10-06 20:23:46 UTC
File Type:
PE+ (Exe)
AV detection:
23 of 24 (95.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rzgvx6pfmnxlozwyszkon4lzmrzimoqsvtetifys632qxo4ekgpq._file
Verdict:
malicious
Label(s):
unc_loader_071
Create hunting rule
rhadamanthys
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
379f0016963886f893def3b63a2acccaf4b10e437dd2f9512495a0afbec95ffd
Rhadamanthys
4ff8b754c15870e848b6ed5c89d43830417b6f222fd3c06235f1b384e6800a0c
Rhadamanthys
647c4c3468f1733bc3202d198bdaa9fbc15d586c13260ff9cfe760e39897d6f1
Rhadamanthys
713fe892def917dd16fa304cf3719a22418c2b9db9d8e36cee27973f788236eb
Rhadamanthys
7ecdca5682d0b9d8b1e1e3002a9e46a5b3314c324ac12823d1ad4dc97d626f7f
Rhadamanthys
888356a703073d1533a01199c352ed4bbea51116af640f7f6f381bd89a97c888
Rhadamanthys
9ea72b870985f4db6233a9f0e882456fd18ef34bc70b69db35aba14a966ad5c5
Rhadamanthys
ac78e0cbaac4922c0b213e1654b46315c8fbec3cf6ba07c134a3f80355020308
Rhadamanthys
cd4ca11b0cfb4cecdbcb4073a578883794e1177357f526ecdfe8d731f27467c2
Rhadamanthys
ebadac7a2fcf13d135c59215056896a5ebe91b442edd6acf12110c357956a143
Rhadamanthys
error
Rhadamanthys
+ 636 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader defense_evasion execution loader
Link:
https://tria.ge/reports/251006-y6zf2sfj9v/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Checks computer location settings
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Detects DonutLoader
DonutLoader
Donutloader family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9b41d88d-648f-4a22-9973-61ee55c81fad
Unpacked files
SH256 hash:
8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f
MD5 hash:
57bb5f5611a5ec958ce9358b49c2d8bc
SHA1 hash:
6e9ecfcf2bd1e1553c6184dcd08066203c2b327c
Link:
https://www.unpac.me/results/9de5757b-7dc5-4712-9b32-1052a39d36cb/
Malware family:
XMRig
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8e4d5bf9e563/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8e4d5bf9e5636eb766d89654e6f1796472863a12acc9341712f6f50bbb84519f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/30871/

Comments