MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7
SHA3-384 hash: 6eeaa31db2ec7cb271eb62130921c2f68c9b2638d777cce887a4e96fd1ee577196908748442b872ccebe0de319b3bc15
SHA1 hash: f9442b274530ea9010ef5dba0fb6c21d0521f302
MD5 hash: 31ddd73236f6d93c8c4fb93956a37fec
humanhash: lamp-lactose-blue-dakota
File name:random.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'057'728 bytes
First seen:2025-04-29 06:46:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:eMCf8ayLohgC4u5kUqh+vE9iP5GF3OUXeP334M16bqyE2vWLu1:TCf8ayugvDDsUROUXePn4c7T
Threatray 337 similar samples on MalwareBazaar
TLSH T1BF95339E5A64D13CD11F07788EC3AE5BDAB9FA307CA6877EE60B160C2FF26985041714
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 926b23534d61338c (51 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
473
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4938/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6810797ecc5fb3600cc4556d
Tags:
upatre trojan spawn virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Searching for the window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Creating a window
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
entropy microsoft_visual_cc packed packed packer_detected rat virtual
Link:
https://www.filescan.io/uploads/681075efc502e7176af995d5/reports/1c5cefa7-f10a-4fb4-815b-9dc94529ac01/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3b07ffbf-307c-4013-b9af-09f737087ddc
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1677040
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1677040 Sample: random.exe Startdate: 29/04/2025 Architecture: WINDOWS Score: 100 58 x.ns.gin.ntt.net 2->58 60 twc.trafficmanager.net 2->60 62 8 other IPs or domains 2->62 84 Found malware configuration 2->84 86 Multi AV Scanner detection for submitted file 2->86 88 Yara detected RHADAMANTHYS Stealer 2->88 90 3 other signatures 2->90 10 random.exe 1 2->10         started        13 msedge.exe 16 75 2->13         started        16 elevation_service.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 102 Detected unpacking (changes PE section rights) 10->102 104 Tries to detect sandboxes and other dynamic analysis tools (window names) 10->104 106 Tries to evade debugger and weak emulator (self modifying code) 10->106 108 5 other signatures 10->108 20 svchost.exe 10->20         started        24 WerFault.exe 2 10->24         started        70 239.255.255.250 unknown Reserved 13->70 26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        30 msedge.exe 13->30         started        signatures6 process7 dnsIp8 64 154.81.179.131, 49683, 49705, 49711 MULTA-ASN1US Seychelles 20->64 98 System process connects to network (likely due to code injection or exploit) 20->98 100 Switches to a custom stack to bypass stack traces 20->100 32 svchost.exe 6 20->32         started        66 s-part-0043.t-0009.t-msedge.net 13.107.246.71, 443, 49701 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->66 68 ax-0002.ax-msedge.net 150.171.28.11, 443, 49702 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->68 signatures9 process10 dnsIp11 52 ntp1.net.berkeley.edu 169.229.128.134, 123, 60552 UCBUS United States 32->52 54 ntp.time.nl 94.198.159.10, 123, 60552 SIDNNL Netherlands 32->54 56 6 other IPs or domains 32->56 76 Early bird code injection technique detected 32->76 78 Found many strings related to Crypto-Wallets (likely being stolen) 32->78 80 Tries to harvest and steal browser information (history, passwords, etc) 32->80 82 2 other signatures 32->82 36 wmpshare.exe 32->36         started        39 chrome.exe 32->39         started        41 msedge.exe 14 32->41         started        43 chrome.exe 32->43         started        signatures12 process13 signatures14 92 Found many strings related to Crypto-Wallets (likely being stolen) 36->92 94 Writes to foreign memory regions 36->94 96 Allocates memory in foreign processes 36->96 45 dllhost.exe 36->45         started        48 chrome.exe 39->48         started        50 msedge.exe 41->50         started        process15 dnsIp16 72 154.81.179.132, 49712, 49714, 9527 MULTA-ASN1US Seychelles 45->72 74 127.0.0.1 unknown unknown 48->74
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7/
Threat name:
Win32.Trojan.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-04-28 14:15:53 UTC
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssvtvqh7hedhgvslabk7w7ogpq2yxnjwzvly6mh54nhdsim2lktq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
019e368cdfe9e71959dfc32917463653dfa4c35c129f1feb1fe492187d46a22a
Rhadamanthys
04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
Rhadamanthys
05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Rhadamanthys
5cb6c17c36f745d704afc3379ce1d45fb30d793d9092229f43fc4294fbd1cd26
Rhadamanthys
6e3c1e99ff62da0a2ac7e2bc89d61b515743a8074eb6559ff4328c98b0a0b4b7
Rhadamanthys
92f15aca3c8a18dc413b61ae62fa88f601c1a3d7d5d682c1384c0229396da603
Rhadamanthys
b4c5976c195529d342848c33311292fc6778a79c21cb1d546c82af157350e702
Rhadamanthys
ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
Rhadamanthys
d5e03c97abdb4c8602140fd314885313750e023997c844b09a7c35d7679297d8
Rhadamanthys
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
Rhadamanthys
error
Rhadamanthys
+ 327 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250429-hj919sykx5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d563f973-a925-4bd5-a429-ab2518d842d2
Unpacked files
SH256 hash:
d487be0e3a7d0e5db716daca7bf9e5da4ab7a60f0dc582dae8ebf1389649c0eb
MD5 hash:
043f53334cd735029d0cf26b4331b610
SHA1 hash:
b4f830c4abd035728967d88c99782203317ecdaf
Link:
https://www.unpac.me/results/4d72a1c9-7ab8-409b-ab69-845611ed0433/
SH256 hash:
254ce242928e04541378dbccd334d6e0378df24318b49be591f106fa9b327c40
MD5 hash:
87254c297139356b45ac603060313ea5
SHA1 hash:
2d1ba9a149d4a80404e7f2571f3af611fb97c430
Link:
https://www.unpac.me/results/4d72a1c9-7ab8-409b-ab69-845611ed0433/
SH256 hash:
94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7
MD5 hash:
31ddd73236f6d93c8c4fb93956a37fec
SHA1 hash:
f9442b274530ea9010ef5dba0fb6c21d0521f302
Link:
https://www.unpac.me/results/4d72a1c9-7ab8-409b-ab69-845611ed0433/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/94ab3ac0ff39/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 94ab3ac0ff390673564b0055fb7dc67c358bb536cd578f30fde34e39219a5aa7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3522987/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4938/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments