MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc
SHA3-384 hash: 2a7f140582c73bff366f7b69f48e26696ff0d14eb2cd09b168db9be428c5d432af60cabc0278dcb3f78a292403f7f245
SHA1 hash: 72eeb8fc71fed0a8b9db83415a3975515af0ff51
MD5 hash: 2e4440903ba7fe9200478daad1e45443
humanhash: quiet-asparagus-purple-florida
File name:🕹ī¸â•°đ”°đ”ĸ𝔱𝔲𝔭.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:99'614'698 bytes
First seen:2025-08-19 22:03:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 49152:UmHtPWWwjo/MiJWqf+aWEkyjeoq1wuLUUJaVOco:Umgp49fTnkyjt6R7JOa
Threatray 1'464 similar samples on MalwareBazaar
TLSH T1B628123D300FF2BB5A4934B0ACE51E12B82CE114579493A64ED907BD93CB1DD6A3E9C9
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon e0f2da99ba9abb0c (2 x Rhadamanthys)
Reporter aachum
Tags:103-245-231-185 103-245-231-197 104-164-55-180 104-164-55-24 AutoIT CypherIT exe Rhadamanthys


Avatar
iamaachum
https://www.download-setup.com/ => https://mega.nz/file/bQUDDbpJ#30vZWvm7OywRIuq88uVb89ouQgTwU-jTvB18itLdvVQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
785
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
af5f72f7-6487-4820-b63e-63983bb2ef65
Verdict:
Malicious activity
Analysis date:
2025-08-19 22:06:21 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/af5f72f7-6487-4820-b63e-63983bb2ef65

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a4f4f8c2f5296a1a2858b1
Tags:
autoit emotet cobalt spoof
Result
Verdict:
Clean
Maliciousness:
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay
Link:
https://www.filescan.io/uploads/68a4f571abfbaec318261eb7/reports/06a97bd4-d3e3-4723-bba8-1be643a196af/overview
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1760615
Signature
Checks if the current machine is a virtual machine (disk enumeration)
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1760615 Sample: #Ud83d#Udd79#Ufe0f#U2570#Ud... Startdate: 20/08/2025 Architecture: WINDOWS Score: 100 34 TszQVTLleFrlCV.TszQVTLleFrlCV 2->34 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected RHADAMANTHYS Stealer 2->44 46 Sigma detected: Search for Antivirus process 2->46 9 #Ud83d#Udd79#Ufe0f#U2570#Ud835#Udd30#Ud835#Udd22#Ud835#Udd31#Ud835#Udd32#Ud835#Udd2d.exe 27 2->9         started        signatures3 process4 file5 30 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 9->30 dropped 12 cmd.exe 1 9->12         started        process6 signatures7 56 Detected CypherIt Packer 12->56 58 Drops PE files with a suspicious file extension 12->58 15 cmd.exe 4 12->15         started        18 conhost.exe 12->18         started        process8 file9 32 C:\Users\user\AppData\Local\...\Uganda.pif, PE32 15->32 dropped 20 Uganda.pif 15->20         started        24 extrac32.exe 13 15->24         started        26 tasklist.exe 1 15->26         started        28 2 other processes 15->28 process10 dnsIp11 36 103.245.231.185, 443, 49691 VECTANTARTERIANetworksCorporationJP Japan 20->36 38 104.164.55.180, 443, 49693 EGIHOSTINGUS United States 20->38 40 104.164.55.24, 443, 49692 EGIHOSTINGUS United States 20->40 48 Query firmware table information (likely to detect VMs) 20->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->50 52 Checks if the current machine is a virtual machine (disk enumeration) 20->52 54 3 other signatures 20->54 signatures12
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc
Gathering data
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 22:12:06 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6puvbfqkq6kdmvf3dlhxlnvoejtxgoxzjodm4qi3gh55itkx26a._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
1695039099cdff9bf78f8314bf8b64788b020b5547993ec2c9ec524ad2a4a497
Rhadamanthys
2d04c13fd74da6be1a58c55a30a2b753656d6a1aa1b0c6d426fe861f37de47c3
Rhadamanthys
3b117d869f38ab4e7c14507d969467820208dcb26f5564612cc8329c76b1f156
Rhadamanthys
52f3ef0a1a09634bce792ea5eab5f7b5d87352b9eb39b6164b6a3071fbd4d887
Rhadamanthys
5374a2f7e32309d5024c3f57123c984c22b99090c9b46a777fc928d60048d43a
Rhadamanthys
6a232c8c2bbdc5d00a6d2aad9e9d748b9f2b02fe0bb158da3ba41f0563ecf54f
Rhadamanthys
84e0c2a0b99db9bc662e25f6e33308732db054d2c2110335dcf50573d6452e03
Rhadamanthys
865268c403283d200f546fe09fa6bd0587d165fda8b26024a45db21999998bb5
Rhadamanthys
97740aaf2ebfb2699aded110694ea7522c2c52cb6679d82f929d23d2626e11ef
Rhadamanthys
9d1fb3557af008bd1c383ef15f5870f78c6f299ea23781c6b5326d602644fe68
Rhadamanthys
error
Rhadamanthys
+ 1'454 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery
Link:
https://tria.ge/reports/250819-1zgc1agq91/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f9f4a84b054/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe 9f9f4a84b0543ca1b2a5d8d67badb571133b99d7ca5c367208d98fdea26abebc

(this sample)

  
Link
https://tria.ge/250819-1j2c8sxqx8/behavioral3
  
Delivery method
Distributed via web download

Comments