MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 18 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
SHA3-384 hash: d5971494aaf19c25c8fe370f7cfe8869dd4e06e1cb8d8a72ebed82e7e28d6ed16b79c553ab30adaf0f26b2c9d245bee8
SHA1 hash: e6c096dddaebe09bad5372e60e0bf05589f4a8c3
MD5 hash: 11b2a6b82acbe4b73ea68615f6d737b6
humanhash: twenty-triple-triple-fillet
File name:925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'237'464 bytes
First seen:2025-08-14 06:37:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 78 x Vidar, 42 x LummaStealer)
ssdeep 49152:0OG0IDlUt60S/8TnhfLVDfQDJixz5WuSNr5A/ZA:0WZ9S627CA
Threatray 167 similar samples on MalwareBazaar
TLSH T1F1A57B1BBC9C47EAC4D68732886E30627A71BC894F6113D72A55B27C2FF66E08D75B10
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 00e8b2d4ccccccf0 (8 x LummaStealer, 4 x Rhadamanthys, 1 x Formbook)
Reporter JAMESWT_WT
Tags:exe ExpressVPN-12-104-0-128 Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
IT IT
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Verdict:
Malicious activity
Analysis date:
2025-08-14 06:42:43 UTC
Tags:
stealer rhadamanthys
Link:
https://app.any.run/tasks/86e9ad46-434c-4299-8817-456170834bda

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21276/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689d842c31e468d93724af93
Tags:
injection stealer virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Sending a custom TCP request
DNS request
Launching the default Windows debugger (dwwin.exe)
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Sending a TCP request to an infection source
Stealing user critical data
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
golang infostealer invalid-signature obfuscated signed threat
Link:
https://www.filescan.io/uploads/689d84259ef4d2ff7cfc3c18/reports/9fba06e9-dedc-47be-8139-ee115c904fb5/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/43c05050-d740-407e-9bb4-ada980187cf6
Score:
51%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/11b2a6b82acbe4b73ea68615f6d737b6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-13 08:50:04 UTC
File Type:
PE+ (Exe)
Extracted files:
12
AV detection:
22 of 38 (57.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sjnei6zrtqc3ytv6rcz2iqckqq2r4aicn32n5dlfx3khlsmftpuq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
21410f2d5da769fab3f5c9d3d2f6aeec19d1f7b4d2a04e1370491aece6517a0a
Rhadamanthys
47767a97c828554f2092c5e2fc505e103ff42114cd75071fd69e16111037a83a
Rhadamanthys
49337f9f66b60d2f51e8f97bc057c99888b0cfc00af88df247a26c8079e63317
Rhadamanthys
4fb0569f626a84a699f504b107607d1202cb375a312c3f7f3a4d7a9df04c0c2b
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
a00f9b69f8250c86d0852c61a936f96372bd8c71fde6ddea492e3e2b8006ddea
Rhadamanthys
abf052189d7c4ecb828806ff3e559de0e4bd0ba5e69c01575a8f8217bf2868d6
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
+ 157 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250814-hdmc1scm4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b6292b2b-d693-415c-a56a-210f2e323181
Unpacked files
SH256 hash:
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
MD5 hash:
11b2a6b82acbe4b73ea68615f6d737b6
SHA1 hash:
e6c096dddaebe09bad5372e60e0bf05589f4a8c3
Link:
https://www.unpac.me/results/42fdf3d1-2e24-48ac-a750-8339ed459af2/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/925a447b319c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21276/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryW
kernel32.dll::LoadLibraryExW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::GetSystemDirectoryA

Comments