MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
SHA3-384 hash: 20e2b6e146b6b20b2021425026b2d2f3f52593b31e3fc61609c528c668ae0f910804c59905837b9c656bc8a319826d5b
SHA1 hash: ab40e42f89da3f3f60ae11804b0b54b62c55dcf2
MD5 hash: 4bc285601e9d547443a5d4b27cacfbaa
humanhash: quiet-island-sodium-earth
File name:third stage.ps1
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'482 bytes
First seen:2026-01-27 16:39:22 UTC
Last seen:Never
File type:PowerShell (PS) ps1
MIME type:text/plain
ssdeep 24:OI9cTROH4iOoyscMsd8Ts2BJaQfyRsMG8YKXBsfJRDRZ74W9OFtJCJtC:pYDopcjCQm/R0RsfvH74/D
Threatray 301 similar samples on MalwareBazaar
TLSH T1DC31E01432025B570473563A6D91E4ACFA9351B349FE2C00FD5C92A29FF6212D27AF5E
Magika powershell
Reporter ShadowOpCode
Tags:ClickFix kid-lidiia-com-ua ps1 Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
IT IT
Vendor Threat Intelligence
No detections
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6978ea4b6fa3eed1652f94d4
Tags:
trojan shell sage
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6978ea42a57b6af70d0f03d4/reports/e6cd92cf-eb9b-4aab-970b-865d2ca8f2fc/overview
Verdict:
Malicious
Labled as:
BZC.PZQ.Boxter.829
Link:
https://www.hybrid-analysis.com/sample/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
Verdict:
Malicious
File Type:
ps1
First seen:
2025-09-25T11:43:00Z UTC
Last seen:
2026-01-28T00:41:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1805736
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Dot net compiler compiles file from suspicious location
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
n/a
Score:
3%
Verdict:
Benign
File Type:
SCRIPT
Link:
https://malprob.io/report/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222/
Verdict:
Malicious
Threat:
NetTool.Win64.HTTP
Link:
https://tip.neiki.dev/file/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222
Threat name:
Win32.Dropper.Boxter
Create hunting rule
Status:
Malicious
First seen:
2025-09-26 00:20:13 UTC
File Type:
Text (PowerShell)
AV detection:
6 of 23 (26.09%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucyziq4c4l66yxswid2fw6cbxfpjze67up2oj4blma6pd57gqira._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
1bb4c84914707127007e6922b35319f142b56fe00ece18fc0c2fcd6e5e74c76a
Rhadamanthys
29ffffb8bba66471daaab7684fbafe004fe92a7806785d117316b73d5695db00
Rhadamanthys
3e02008bba6f868cf0bbe58a5428362c5f963a1dcb8d8682b1777af925a07587
Rhadamanthys
41e9c4a2e8d9fdf2f8853ab181f8333e0d83dcd728449cef5d4001eac8e50354
Rhadamanthys
5228cdea84a04c9047fd321efcde0b729a7b2fb036328f8c68c4379ea50c9f9a
Rhadamanthys
713fe892def917dd16fa304cf3719a22418c2b9db9d8e36cee27973f788236eb
Rhadamanthys
8af432d7a2658aeb50f30d2e8a8ec325bb6005e2b198a483d5a3451ef30c9e97
Rhadamanthys
error
Rhadamanthys
f8f52d0c711638b4fa7071bc09255c9ea6d13afb10da5eeca36bde332f7c3b34
Rhadamanthys
fc791cea301af15a8c46dfd5ddf048fbc52cb694d5e9118c41363675823a328b
Rhadamanthys
fd55f42200ffdf235c86b4364309426823e28b1c2e0723ddf9b35eac8062c7d7
Rhadamanthys
+ 291 additional samples on MalwareBazaar
Result
Malware family:
donutloader
Create hunting rule
Score:
  10/10
Tags:
family:donutloader execution loader
Link:
https://tria.ge/reports/260127-t59s6sgt7g/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Drops file in System32 directory
Badlisted process makes network request
Detects DonutLoader
DonutLoader
Donutloader family
Malware Config
Dropper Extraction:
http://94.154.35.115/user_profiles_photo/cptch.bin
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:WIN_ClickFix_Detection
Create hunting rule
Author:dogsafetyforeverone
Description:Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands
Reference:ClickFix social engineering and malicious PowerShell commands

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

PowerShell (PS) ps1 a0b1944382e2fdec5e5640f45b7841b95e9c93dfa3f4e4f02b603cf1f7e68222

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3631737/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3757187/

Comments