MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
SHA3-384 hash: f7326625f5ef59608eff64063947ba9ae9ed957906daca0077fd5bff7726a663afb1c31f48fcb74c1ff67552307921e1
SHA1 hash: d9dbb9222700eea4535ed5640d03aa6b86ee26c8
MD5 hash: 620194552cf82188f4758971292b1a68
humanhash: cold-comet-early-table
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'025'472 bytes
First seen:2025-10-15 04:02:30 UTC
Last seen:2025-10-16 04:05:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 24576:ujdL9JNTv8in54ih7JNKCIXc4ajGptM/c++hv+OOcOwUEIg532YhJVyAX40fae1B:uR9jEi5ZhdElXqSptB+wvscOWrPHRn
Threatray 2'103 similar samples on MalwareBazaar
TLSH T1D39533663F575CB0E112C9BB86C8F197A0733DB2E98D4E507B2792A3E51318672C8C26
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Rhadamanthys


Avatar
Bitsight
url: http://178.16.55.189/files/502259649/8omkiD7.exe

Intelligence

File Origin
# of uploads :
8
# of downloads :
86
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
random.exe
Verdict:
Malicious activity
Analysis date:
2025-10-14 22:15:50 UTC
Tags:
amadey botnet stealer susp-powershell rdp themida loader remote xworm golang xor-url generic auto pastebin miner winring0-sys vuln-driver stealc vidar gcleaner phishing ultravnc rmm-tool anti-evasion evasion telegram worldwind stormkitty exfiltration ms-smartcard asyncrat rat babel dnguard yano amsi-bypass rustystealer arch-doc autoit lumma silentcryptominer purecrypter
Link:
https://app.any.run/tasks/29e25ed2-e9a6-4f7c-99cc-cc741ed48c86

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32849/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ef1ce604e22ce9acda4053
Tags:
spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68ef1cdc71883144ef37cca8/reports/bad5aad9-6b0e-4abc-b569-691d42b5d3a2/overview
Verdict:
Malicious
Labled as:
Dump:Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-14T15:51:00Z UTC
Last seen:
2025-10-16T12:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Crypt.sb HEUR:Trojan-Downloader.Win32.Generic VHO:Trojan-PSW.Win32.Lumma.gen VHO:Trojan-PSW.Win32.Convagent.gen Trojan-Downloader.Win32.Phpw.mkd Trojan.Win32.Strab.sb not-a-virus:VHO:RiskTool.Win32.BitCoinMiner.gen
Link:
https://opentip.kaspersky.com/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c1628436-258d-4c63-adc2-ca5d0df738ae
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/620194552cf82188f4758971292b1a68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-15 04:03:32 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqfy6mtngliyl7kckqqhvktqichdwyxki2czgwyv4m66g7j4dwwa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
2be5b104a63deb6addd9d49ffea10cfbefc8c214c2578f4554b6272ca3856899
Rhadamanthys
551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772
Rhadamanthys
55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6
Rhadamanthys
5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60
Rhadamanthys
67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe
Rhadamanthys
9a577c544360db41918b2d1890ae1abf2407e734f77d307ef8828a151d8252d4
Rhadamanthys
a509d90eaa00df8640c180439726fc0ed487dc30d236e19d1fc1514782e23671
Rhadamanthys
b5d44eb79bb60df60b30f4157e958cb1a84c6ed93f2fb3767e96c573c27092e4
Rhadamanthys
dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb
Rhadamanthys
ecc38b2d94c70426a8c8ffb8d0414c048023731d37153f2ac50e62d966505143
Rhadamanthys
error
Rhadamanthys
+ 2'093 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys defense_evasion discovery stealer
Link:
https://tria.ge/reports/251015-el4eqagm5y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2db7781d-e0f1-47d7-b7c0-7c26feed7373
Unpacked files
SH256 hash:
90df41ee1acdb61f46241ed88260629d198a589ee3cfb37b24e827cec17432f7
MD5 hash:
b9a0f2d4deae8ea6bbb1ee33b1db797b
SHA1 hash:
2ba38494fb5ee9caa13ee6e87d504139083b812e
Link:
https://www.unpac.me/results/ae078294-86ff-4eef-a4fe-a395b8221049/
SH256 hash:
940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac
MD5 hash:
620194552cf82188f4758971292b1a68
SHA1 hash:
d9dbb9222700eea4535ed5640d03aa6b86ee26c8
Link:
https://www.unpac.me/results/ae078294-86ff-4eef-a4fe-a395b8221049/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/940b8f326d32/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.72
Link:
https://yomi.yoroi.company/submissions/940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 940b8f326d32d185fd4254207aaa70408e3b62ea4685935b15e33de37d3c1dac

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3678481/
Cape
Cape
https://www.capesandbox.com/analysis/32849/

Comments