MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 13

Intelligence 13 IOCs YARA 22 File information Comments

SHA256 hash:	a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b
SHA3-384 hash:	fcba3d17c5d15166cb6615afdf3f2e75f755b52ed68a19d85541b09a839561f1a07b0be476a9a2759ec994371547e7a6
SHA1 hash:	4f2fe79c52cfc8ab34aeb31fc2ce2faefdabce01
MD5 hash:	7227be98bd15d1cb8bdf4122d05c7b5e
humanhash:	enemy-two-kentucky-mobile
File name:	SecuriteInfo.com.Win64.Evo-gen.5177.10449
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	3'207'785 bytes
First seen:	2025-07-29 08:21:45 UTC
Last seen:	2025-07-29 09:25:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	4a438adb9d59c004dab9ec35016a1405 (12 x LummaStealer, 2 x Vidar, 2 x Rhadamanthys)
ssdeep	24576:NGxXghRCMs2V4mpaq07i3cB9HMJwXVMkxPsIdBGEQHPcVEXC:NgXmRCAX85BBKJwakxPZAOE
Threatray	52 similar samples on MalwareBazaar
TLSH	T162E5171E6ED0ACF2D75A52FF85615B607677B8301B2313C72AB0A26E1E717E02A357C4
TrID	48.6% (.EXE) Win64 Executable (generic) (10522/11/4) 23.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 9.3% (.EXE) OS/2 Executable (generic) (2029/13) 9.2% (.EXE) Generic Win/DOS Executable (2002/3) 9.2% (.EXE) DOS Executable Generic (2000/1)
Magika	pebin
dhash icon	8c4d6a8ae63414d8 (2 x LummaStealer, 2 x Rhadamanthys, 1 x Vidar)
Reporter	SecuriteInfoCom
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

amadey

ID:

File name:

596c56af-652f-436d-a1d1-e5c7700ff741

Verdict:

Malicious activity

Analysis date:

2025-07-28 18:07:34 UTC

Tags:

amadey botnet stealer loader stealc evasion golang rdp auto-startup xmrig telegram python auto-reg lumma miner pastebin silentcryptominer websocket vidar quasar rat

Link:

https://app.any.run/tasks/596c56af-652f-436d-a1d1-e5c7700ff741

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/17517/

Detection(s):

SecuriteInfo.com.Win64.Evo-gen.5177.10449.UNOFFICIAL

Verdict:

Clean

Score:

N/A%

Link:

https://cyber-fortress.com/docs/result/index.php?id=688884c7af3050dc8d31fcec

Tags:

n/a

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a window

Сreating synchronization primitives

Using the Windows Management Instrumentation requests

Connection attempt

Sending a custom TCP request

DNS request

Sending a UDP request

Reading critical registry keys

Searching for the window

Launching a process

Stealing user critical data

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-debug anti-vm expand golang invalid-signature lolbin overlay overlay packed signed

Link:

https://www.filescan.io/uploads/688884ce01e814b1f00a3638/reports/b29c4c97-cc92-42a0-9c8e-492160b64ec4/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/ed6f76a1-1f54-4a38-98ee-d0ce31ee1995

Score:

97%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

Gathering data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b/

Verdict:

Malicious

Threat:

VHO:Trojan.Win32.Inject

Link:

https://tip.neiki.dev/file/a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

Threat name:

Win64.Trojan.Amadey

Status:

Malicious

First seen:

2025-07-28 13:16:17 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uqlxyfwx4bfzuyq5glpravifg332hkivduolek3cgwfwynwzzmnq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

2220c14ec416ff9ec8868b13f0db69545280a1b9fef9ff1c56e744516c74f8aa

Rhadamanthys

3bcd650cfa8589518bd0ad2ab93a04589190275de3843f8f90bcead289b0924d

Rhadamanthys

4c118ef6e1e04222117a3e514392088117467f873f0805ed0a721a090c5beea5

Rhadamanthys

689f30f1d8dacfa027965ac617d475f769ab162b628bad37ff2833c61dc6917a

Rhadamanthys

72c6324d2e150db05c0749a90dd9581ef096f55f38f7ee6bfdaf2275cae07db8

Rhadamanthys

a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

Rhadamanthys

error

Rhadamanthys

+ 42 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/250729-j9seksfj21/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/48b7c26f-6bc6-4fd1-a0e4-2f3aab053aaa

Unpacked files

SH256 hash:

a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

MD5 hash:

7227be98bd15d1cb8bdf4122d05c7b5e

SHA1 hash:

4f2fe79c52cfc8ab34aeb31fc2ce2faefdabce01

Link:

https://www.unpac.me/results/320c0934-93de-4cc4-a413-0fc3c54efcf8/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/a4177c16d7e0/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Check_OutputDebugStringA_iat Create hunting rule

Rule name:	cobalt_strike_tmp01925d3f Create hunting rule
Author:	The DFIR Report
Description:	files - file ~tmp01925d3f.exe
Reference:	https://thedfirreport.com

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	pe_detect_tls_callbacks Create hunting rule

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	TeslaCryptPackedMalware Create hunting rule

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe a4177c16d7e04b9a621d32df10550536f7a3a9151d1cb22b62358b6c36d9cb1b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3592603/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/17517/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (GUARD_CF)	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::OpenProcess KERNEL32.dll::CloseHandle KERNEL32.dll::CreateThread
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryExW KERNEL32.dll::LoadLibraryW KERNEL32.dll::GetSystemInfo KERNEL32.dll::GetStartupInfoA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::GetSystemDirectoryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample