MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
SHA3-384 hash: dd1b062771b54030367e7bc7b805164c7d6b4cc6d5df41e6c9d15c70130ed3c0da9b8d6d06176487e303467f7846e4c7
SHA1 hash: 3d63545985054ae50795a9e753253e29f6342dd6
MD5 hash: 2e22a638e190f3ebdfd63047cbf14d5c
humanhash: mississippi-spring-hawaii-bakerloo
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'042'944 bytes
First seen:2025-09-09 04:01:03 UTC
Last seen:2025-09-09 04:04:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 1deeab33a3db0d2c20caa9f7afb33436 (6 x Rhadamanthys)
ssdeep 24576:cxS3p0KAFs3l/i8gtvuLhEG4sWY2qHFqg9SfLMbY:cxS5XAu3l/KuLhr/WfgFTSfLMU
Threatray 418 similar samples on MalwareBazaar
TLSH T1DA250142F1F380A3F74394F02A79A679582DFA63A7380DDB6184F634A5749D2173362B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe Rhadamanthys


Avatar
Bitsight
url: http://178.16.54.200/files/174733404/PsCMIRi.exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
87
Origin country :
US US
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
1585a6ac342aef95d9c54f503be5f84c45efdc775a47a64aa049013566abff8c.exe
Verdict:
Malicious activity
Analysis date:
2025-09-08 16:34:58 UTC
Tags:
lumma stealer auto redline amadey botnet telegram themida loader arch-exec vidar ultravnc rmm-tool gcleaner coinminer miner ddr stealc rdp anti-evasion autoit payload purelogs
Link:
https://app.any.run/tasks/cd0f2f40-a206-4139-8b88-6e101505210d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26397/
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Malicious
Score:
95.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68be71dc6e66ba602d7906cd
Tags:
cobalt xpaj
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey crypt crypto microsoft_visual_cc packed rhadamanthys unsafe
Link:
https://www.filescan.io/uploads/68bfa69dcfa59bfdc7f4bd3c/reports/d35655eb-246a-4e8b-9520-18e4cea47f28/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-08T03:14:00Z UTC
Last seen:
2025-09-08T03:14:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb VHO:Trojan-PSW.Win32.Crypt.gen VHO:Trojan-PSW.Win32.Convagent.gen Trojan-PSW.Win32.Crypt.iz Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb
Link:
https://opentip.kaspersky.com/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/33ba4995-fe09-4928-9507-636b716f1c33
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-08 06:04:13 UTC
File Type:
PE (Exe)
AV detection:
14 of 24 (58.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uwajuqx3uch2jtryvyflos2dh7urqjw6iklmcr74iiko52dnzemq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
155f53209e7e4aacf1efb3c929a2aaa659f98f9dd3ff703d0eed9ff7379a7da3
Rhadamanthys
1f51d10b1f8a2013c8f4c9a6b16a10154f0ad59402931e091add41f632f57290
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
47767a97c828554f2092c5e2fc505e103ff42114cd75071fd69e16111037a83a
Rhadamanthys
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
f5bc4cd08a3e95935a848c97c435a0fc41b3a118c45a5baf3e50e6e69a109aff
Rhadamanthys
+ 408 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250909-elh4sayry3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e8a2c3de-c28a-40c3-9cf0-d9cd86427010
Unpacked files
SH256 hash:
a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919
MD5 hash:
2e22a638e190f3ebdfd63047cbf14d5c
SHA1 hash:
3d63545985054ae50795a9e753253e29f6342dd6
Link:
https://www.unpac.me/results/8a905815-1aed-4b10-b1fc-84833ad1dacc/
SH256 hash:
8855a86d2276a92e2dc38f1ce3ae709b93caba530ce75f31808c6cb0589c6395
MD5 hash:
329d6f6c5ac81e4b5d59f5ce0428e04e
SHA1 hash:
61494e8baf3cfcc7b81fc0f95e37653f4afa5b48
Link:
https://www.unpac.me/results/8a905815-1aed-4b10-b1fc-84833ad1dacc/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a5809a42fba0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe a5809a42fba08fa4ce38ae0ab74b433fe91826de4296c147fc4214eee86dc919

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3617786/
Cape
Cape
https://www.capesandbox.com/analysis/26397/

Comments