MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd
SHA3-384 hash: a72bec701494ca2263c5dab87e533ca867bae5150ac7d0aebf6e791a10db50dd8f18da6bb49025bf3bb2b1847b72ae80
SHA1 hash: bb751e3b231a7bf22ed1ebc562b828497510ec18
MD5 hash: 96d76d48364443e3c7c3c4dcaf64a493
humanhash: diet-rugby-hot-item
File name:Launcher.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'893'448 bytes
First seen:2025-09-18 18:53:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ae8da8d195503ea36a6c31c6043ecb8 (23 x Rhadamanthys)
ssdeep 98304:B808UPUjendKMJDL0ucMTiuX6HyRx06EQX2TZ3kCpYIBcneXk92f/JG9O8jNV:2VedKgYucmiuXayRhEu2dtYNnWJEn
TLSH T11A6612471A8760A4F7D7147B660B7E9E33F10EE40D41C729A9C3F88759F2AF190AB852
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Launcher.exe
Verdict:
Malicious activity
Analysis date:
2025-09-18 18:53:42 UTC
Tags:
anti-evasion rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/2cd2333e-f5f3-436d-83a2-7383c7922bde

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28202/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cc5535246a2631bd30bcf3
Tags:
vmprotect obfusc crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Connecting to a non-recommended domain
Stealing user critical data
Unauthorized injection to a system process
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context invalid-signature overlay packed signed
Link:
https://www.filescan.io/uploads/68cc5581f224aeb809c893c4/reports/1a1d4b6c-5f3c-410b-8762-eeafe5acd09d/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-17T22:46:00Z UTC
Last seen:
2025-09-17T22:46:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Injector.sb Trojan.Win64.SBEscape.sb Trojan.Win64.SBEscape.ajc Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1ba77712-1e07-41d0-944a-7f4536eabb7f
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780327
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Drops PE files with benign system names
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780327 Sample: Launcher.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 108 time.google.com 2->108 110 time.cloudflare.com 2->110 112 6 other IPs or domains 2->112 136 Found malware configuration 2->136 138 Antivirus detection for URL or domain 2->138 140 Antivirus detection for dropped file 2->140 142 9 other signatures 2->142 12 Launcher.exe 2->12         started        15 msedge.exe 104 441 2->15         started        18 svchost.exe 2->18         started        20 8 other processes 2->20 signatures3 process4 dnsIp5 162 Found many strings related to Crypto-Wallets (likely being stolen) 12->162 164 Switches to a custom stack to bypass stack traces 12->164 22 OpenWith.exe 12->22         started        132 192.168.2.16 unknown unknown 15->132 134 239.255.255.250 unknown Reserved 15->134 166 Maps a DLL or memory area into another process 15->166 26 msedge.exe 15->26         started        28 identity_helper.exe 15->28         started        30 msedge.exe 15->30         started        34 3 other processes 15->34 168 Changes security center settings (notifications, updates, antivirus, firewall) 18->168 32 MpCmdRun.exe 18->32         started        signatures6 process7 dnsIp8 122 openai-diversifies-with-ai.com 2.58.56.225, 49697, 49736, 49738 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 22->122 124 cloudflare-dns.com 104.16.249.249, 443, 49696, 49735 CLOUDFLARENETUS United States 22->124 152 Query firmware table information (likely to detect VMs) 22->152 154 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->154 156 Deletes itself after installation 22->156 158 3 other signatures 22->158 36 dllhost.exe 8 22->36         started        126 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49718, 49719 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->126 128 ln-0007.ln-msedge.net 150.171.22.17, 443, 49713 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->128 130 11 other IPs or domains 26->130 41 conhost.exe 28->41         started        43 conhost.exe 32->43         started        signatures9 process10 dnsIp11 114 openai-diversifies-with-ai.com 36->114 116 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 36->116 118 6 other IPs or domains 36->118 94 C:\Users\user\AppData\Local\...\KTJ9f.exe, PE32+ 36->94 dropped 96 C:\Users\user\AppData\Local\...\)7m]03]8.exe, PE32+ 36->96 dropped 144 System process connects to network (likely due to code injection or exploit) 36->144 146 Early bird code injection technique detected 36->146 148 Found many strings related to Crypto-Wallets (likely being stolen) 36->148 150 3 other signatures 36->150 45 KTJ9f.exe 36->45         started        49 )7m]03]8.exe 36->49         started        51 wmlaunch.exe 36->51         started        53 3 other processes 36->53 file12 signatures13 process14 dnsIp15 98 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 45->98 dropped 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 45->170 172 Query firmware table information (likely to detect VMs) 45->172 174 Modifies windows update settings 45->174 186 3 other signatures 45->186 56 powershell.exe 45->56         started        59 cmd.exe 45->59         started        61 sc.exe 45->61         started        72 4 other processes 45->72 100 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 49->100 dropped 176 Multi AV Scanner detection for dropped file 49->176 178 Queries memory information (via WMI often done to detect virtual machines) 49->178 180 Drops PE files with benign system names 49->180 63 cmd.exe 49->63         started        182 Writes to foreign memory regions 51->182 184 Allocates memory in foreign processes 51->184 120 192.168.2.6, 443, 49681, 49682 unknown unknown 53->120 65 chrome.exe 53->65         started        68 msedge.exe 53->68         started        70 chrome.exe 53->70         started        file16 signatures17 process18 dnsIp19 160 Loading BitLocker PowerShell Module 56->160 74 conhost.exe 56->74         started        76 WmiPrvSE.exe 56->76         started        78 net.exe 59->78         started        80 conhost.exe 59->80         started        82 conhost.exe 61->82         started        84 conhost.exe 63->84         started        102 googlehosted.l.googleusercontent.com 142.251.16.132, 443, 49708, 49709 GOOGLEUS United States 65->102 104 127.0.0.1 unknown unknown 65->104 106 clients2.googleusercontent.com 65->106 86 Conhost.exe 68->86         started        88 conhost.exe 72->88         started        90 2 other processes 72->90 signatures20 process21 process22 92 net1.exe 78->92         started       
Score:
46%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/96d76d48364443e3c7c3c4dcaf64a493
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd
Threat name:
Win32.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2025-09-18 18:53:43 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sutuglc3urouy7qgcefqaxnkfbhcdnecq3j6nnapqwibvhwu376q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250918-xkjyssvns2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dec89af5-82fb-4d65-9734-b642c1dac6ec
Unpacked files
SH256 hash:
9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd
MD5 hash:
96d76d48364443e3c7c3c4dcaf64a493
SHA1 hash:
bb751e3b231a7bf22ed1ebc562b828497510ec18
Link:
https://www.unpac.me/results/c166bd3f-6f15-42dd-838f-4b53f646c038/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9527432c5ba4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9527432c5ba45d4c7e06110b005daa284e21b48286d3e6b40f85901a9ed4dffd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28202/

Comments