MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322
SHA3-384 hash: 18bf3f84c64402946e3c472f8a979c23adb2bca14be31a5a6f85fbe1b5bb78c4d224d2614a5c1e4072caf3904d4e0477
SHA1 hash: 1c411415d34da81636e1365bd1b7de0fe84607b4
MD5 hash: b12a45c4c7540439481ab30e8c777208
humanhash: eight-july-blue-massachusetts
File name:file
Download: download sample
File size:2'046'976 bytes
First seen:2025-11-05 13:14:49 UTC
Last seen:2025-11-05 13:19:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:7ha6kwri6ajopB2cGNC9QLtj0cW3I5/EwVEXusCZA3TS7y:NaPSiPwdGY6J0vkcw6us+A3TS7
Threatray 278 similar samples on MalwareBazaar
TLSH T1489533D72C20D168D7CF82BA9D4278735D41366E00FAE9CC941A81ED7FDB3A597E2881
TrID 27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
20.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
18.6% (.EXE) Win32 Executable (generic) (4504/4/1)
8.5% (.ICL) Windows Icons Library (generic) (2059/9)
8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter Bitsight
Tags:dropped-by-amadey exe fbf543


Avatar
Bitsight
url: http://178.16.54.200/files/mr/random.exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
76
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2025-11-05 13:20:19 UTC
Tags:
rhadamanthys stealer
Link:
https://app.any.run/tasks/14b57864-ff2e-4fe5-a58a-524862c4de1f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/35500/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=690b4dfeea0f3e915c2321d5
Tags:
vmdetect
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Searching for analyzing tools
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Unauthorized injection to a system process
Gathering data
Verdict:
Malicious
Labled as:
Symmi.Generic
Link:
https://www.hybrid-analysis.com/sample/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322
Verdict:
Unknown
File Type:
Link:
https://opentip.kaspersky.com/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/3362c914-64cf-4407-a487-75c932024533
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/b12a45c4c7540439481ab30e8c777208
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2025-11-05 13:15:32 UTC
File Type:
PE (Exe)
Extracted files:
1
AV detection:
21 of 23 (91.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vaon6ulao32og6mn77zzhtu5kvdubkjdtxq32vhwwvysgnlt6mra._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
0a1fcd9388070dc371576628fe67e598a04483f80ee675bd36d3f6e271f0e716
64778aa8864822b78ca0d0aa70258ae236f8ad0f43957a78d36f28f41e217205
9a8057b07ef25912763b238cafed2941ac266e8b4edba123b77ab2785104d4fd
a918d242f758438ddd53d5ee556d3b7407f2e4203365a9e539483bd23d91b91e
b9c49d3339245f2df18613613625c6ec445c0fdfd7d565129ea25713389f5592
be81632c280cd6e3b08a50194b039fb51e05643bbad03c721e5c03e94d35adc8
e9e6f3ebb97641d15bca12732442c8fab4f6bb3be8b7bb9a9969d247747e2ae8
error
f4af98e2c55729364d527a69fd9befdb908210dc31a30405f8b864a9182e9f24
+ 268 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251105-qhb2vaek21/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/aef92339-ce7f-415c-a701-1b6101e61aa4
Unpacked files
SH256 hash:
a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322
MD5 hash:
b12a45c4c7540439481ab30e8c777208
SHA1 hash:
1c411415d34da81636e1365bd1b7de0fe84607b4
Link:
https://www.unpac.me/results/a0545a2c-dd0d-4d5d-8950-0e36cebbe26d/
SH256 hash:
eb052092f1e97a451fad405d0693b5d4ad4af6852123662e89a974975b7fd9c3
MD5 hash:
fec88eac2c505443e87faa7cfb23542f
SHA1 hash:
e9c448d7baa3df31ecd258ca48d2f1faabc3143d
Link:
https://www.unpac.me/results/a0545a2c-dd0d-4d5d-8950-0e36cebbe26d/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a81cdf516076/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a81cdf516076f4e3798dfff393ce9d554740a9239de1bd54f6b571233573f322

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/35500/
  
URLhaus
https://urlhaus.abuse.ch/url/3697140/

Comments