MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206
SHA3-384 hash: 3ecad67184e662ac373187a9a492175e2ccc659c65eac04d869b967ca7b317354b4a68924d62cb6e95165219401e79ce
SHA1 hash: c294590ede68d906bdf20e0d8715a904b1320e92
MD5 hash: 4c6c3acb318db12b2ad5ff085a367a24
humanhash: saturn-equal-nebraska-east
File name:appFile_patched.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:8'597'504 bytes
First seen:2025-11-02 13:47:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 98304:Yi3J/ANEvLIxa4nXb1Ru0DNw2eziRdhhbuXzrHKc28R:oNKruJRJdhhKPpZR
Threatray 295 similar samples on MalwareBazaar
TLSH T12686BE10B7984075D9EB163418AF6726A37FFD505BA086CF2650A39E9C313C2AF317A7
TrID 32.0% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
24.0% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
12.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
8.1% (.EXE) Win64 Executable (generic) (10522/11/4)
5.0% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
Magika pebin
Reporter aachum
Tags:217-156-67-140 AutoIT CypherIT de-pumped exe Rhadamanthys


Avatar
iamaachum
https://index.git3share.sbs/Adobe_Premiere_Pro_2024_v24.6.1_%28x64%29_%2B_Fix.zip => https://arch.git33share.beauty/soap/media/[x]/Adobe_Premiere_Pro_2024_v24.6.1_(x64)_+_Fix.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
_9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206.exe
Verdict:
Malicious activity
Analysis date:
2025-11-02 13:52:36 UTC
Tags:
autoit rhadamanthys
Link:
https://app.any.run/tasks/e60dff0a-4ebf-45d9-9c86-59acfcd1db84

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34992/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690761c3706befaf4ecb23f3
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Unauthorized injection to a recently created process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-11-02T10:59:00Z UTC
Last seen:
2025-11-02T16:35:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.Script.AUO.gen Backdoor.Agent.UDP.C&C Backdoor.Win32.Agent.mywzlt
Link:
https://opentip.kaspersky.com/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/64524818-da65-499a-9a4f-372bce1e75d9
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1806491
Signature
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Search for Antivirus process
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1806491 Sample: appFile_patched.exe Startdate: 02/11/2025 Architecture: WINDOWS Score: 100 68 twc.trafficmanager.net 2->68 70 time.windows.com 2->70 72 7 other IPs or domains 2->72 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected RHADAMANTHYS Stealer 2->96 98 Sigma detected: Search for Antivirus process 2->98 10 appFile_patched.exe 1 9 2->10         started        12 msedge.exe 2->12         started        15 elevation_service.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 19 OpenWith.exe 6 10->19         started        23 cmd.exe 4 10->23         started        26 attrib.exe 1 10->26         started        92 239.255.255.250 unknown Reserved 12->92 28 msedge.exe 12->28         started        30 msedge.exe 12->30         started        32 msedge.exe 12->32         started        34 msedge.exe 12->34         started        process6 dnsIp7 74 217.156.67.140, 49690, 49691, 49736 XCHANGENETRO Romania 19->74 76 ntp1.net.berkeley.edu 169.229.128.134, 123, 59518 UCBUS United States 19->76 82 6 other IPs or domains 19->82 100 Early bird code injection technique detected 19->100 102 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->102 104 Tries to steal Mail credentials (via file / registry access) 19->104 110 7 other signatures 19->110 36 chrome.exe 19->36         started        38 msedge.exe 19->38         started        40 chrome.exe 19->40         started        66 C:\Users\user\AppData\Local\...behaviorgraphraduates.scr, PE32+ 23->66 dropped 106 Detected CypherIt Packer 23->106 108 Drops PE files with a suspicious file extension 23->108 42 Graduates.scr 23->42         started        45 extrac32.exe 23 23->45         started        47 conhost.exe 23->47         started        51 4 other processes 23->51 49 conhost.exe 26->49         started        78 part-0042.t-0009.t-msedge.net 13.107.246.70, 443, 49726, 49727 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->78 80 part-0042.t-0009.fb-t-msedge.net 13.107.253.70, 443, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->80 84 10 other IPs or domains 28->84 file8 signatures9 process10 signatures11 53 chrome.exe 36->53         started        56 chrome.exe 36->56         started        58 msedge.exe 38->58         started        112 Hijacks the control flow in another process 42->112 114 Modifies the context of a thread in another process (thread injection) 42->114 116 Injects a PE file into a foreign processes 42->116 118 Found direct / indirect Syscall (likely to bypass EDR) 42->118 60 Graduates.scr 42->60         started        62 svchost.exe 42->62         started        process12 dnsIp13 86 googlehosted.l.googleusercontent.com 142.250.69.161, 443, 49705, 49706 GOOGLEUS United States 53->86 88 www.google.com 142.251.34.196, 443, 49708 GOOGLEUS United States 53->88 90 3 other IPs or domains 53->90 64 WerFault.exe 2 60->64         started        process14
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206
Verdict:
inconclusive
YARA:
10 match(es)
Tags:
.Net AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/4c6c3acb318db12b2ad5ff085a367a24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-11-02 13:48:37 UTC
File Type:
PE+ (Exe)
Extracted files:
44
AV detection:
18 of 23 (78.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tek5bs4vq7y3jxdkgdushjfebqrf76u3rcrwbqf3hlh6yilp2ida._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
164cf907a514a586ed298d4194ceef8d7a1876e7eb091e41c9466611ad9daab8
Rhadamanthys
285403b51c4897c5aa8ff01c2d5d13d018381454b69b07c6a5bd92312091e1d5
Rhadamanthys
52dd5ff3704a1d0be979be5a99be19054f5717fe3bc7ff9e7609d211417fb917
Rhadamanthys
56d76ae1d2fe513e9de273d623b46aea8c944413a1e78015d72cdf910c1b091a
Rhadamanthys
5df8dc57b9b97522aadc906667f82a1185e6bbee062ae9fbaba297b1ccc57b58
Rhadamanthys
6c58064777ef165869c15b19dba9097e4fa66890344cf6346d4f10239d0c0415
Rhadamanthys
738210b7ab282c0a2357a333a6ce02d61fcc1f9c1ddb69d380c9fa9bee686cee
Rhadamanthys
946d29dd4c5436460dd2b4a1c0966d701248df529c8a51a64f1b63ab05baeba9
Rhadamanthys
b14460c1b9e5d88d6f41d605b88e0de4bbac646b3c578e514bfcff5ba1dd584f
Rhadamanthys
d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007
Rhadamanthys
error
Rhadamanthys
+ 285 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery persistence
Link:
https://tria.ge/reports/251102-q3vdxs1mft/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aca9a359-0207-46a6-8c95-893ef4fd8c15
Unpacked files
SH256 hash:
9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206
MD5 hash:
4c6c3acb318db12b2ad5ff085a367a24
SHA1 hash:
c294590ede68d906bdf20e0d8715a904b1320e92
Link:
https://www.unpac.me/results/9317a4f8-f860-499c-9e37-0f66647c8ebe/
SH256 hash:
6adef0e81469c73b23c9bf8c09fbbd6b6c558615df91379589eb71fbad0143cf
MD5 hash:
51128db1b8ff659661313e97e96a5b42
SHA1 hash:
b7348e3fd7cde39ed457d52f2a5835e173afb246
Link:
https://www.unpac.me/results/9317a4f8-f860-499c-9e37-0f66647c8ebe/
SH256 hash:
f64f2f33c3412845678c7a1803d3bf5441e4e7aed115e16384a0c436cd6f661e
MD5 hash:
ded8df4668ce9fb6103692a7a6374e7a
SHA1 hash:
9d301a7ba40c2efe65edadb2b9261673d2d41eb9
Link:
https://www.unpac.me/results/9317a4f8-f860-499c-9e37-0f66647c8ebe/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9915d0cb9587/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

7z 2833744a5220a796a0ae5f91fe7c6976179885494ff7f35220b0a93561d104ca

Rhadamanthys

Executable exe 9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206

(this sample)

  
Link
https://tria.ge/251102-qq7tgsxjdr/behavioral2
  
Dropped by
SHA256 2833744a5220a796a0ae5f91fe7c6976179885494ff7f35220b0a93561d104ca
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34992/
  
Dropped by
MD5 914b5ff7c76a23cf73821b6c1c5ae86e

Comments