MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
SHA3-384 hash: c66b56ce02d65b39fbdd8302f154638792248d12aeb1674b0d68392a4e5ca3438b0d8740cc52650501039636a7e31d2e
SHA1 hash: 206dfb59df0a00816276045f47b1c22d488b6e2f
MD5 hash: 51d6abcde02ae7fff8aa074e8dc84956
humanhash: mountain-missouri-spring-hydrogen
File name:SakurаMenu.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'817'928 bytes
First seen:2025-09-19 19:34:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 979d4d3c19bd1d7e944b1ba868d6cce7 (24 x Rhadamanthys)
ssdeep 49152:V+UjuXB5qwrULhjKp0MkrLzTjV3okF8Qel/edO2XV+ze8o35eC9hz5Xk7q2ARd:04uXBlrchdMkfXjV3mQeR9RxobOfARd
TLSH T123D501DB126865DFFD5602B42A18C10835E1AC523F4172EFAF5E3ADF8E311C89A6ED14
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
DE DE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SakurаMenu.exe
Verdict:
Malicious activity
Analysis date:
2025-09-19 19:32:40 UTC
Tags:
rhadamanthys stealer anti-evasion loader
Link:
https://app.any.run/tasks/21e34fb1-2180-4d8b-83e7-bf4c1db613e8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28388/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cdb0236b621794b130fce8
Tags:
packed obfusc crypt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Stealing user critical data
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature microsoft_visual_cc obfuscated obfuscated packed packed packer_detected signed themidawinlicense threat
Link:
https://www.filescan.io/uploads/68cdb07fe39a6830ee40b0ab/reports/51c857ae-d274-4c5c-8ba0-7d4ced0c8afa/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-19T16:42:00Z UTC
Last seen:
2025-09-19T16:42:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Agent.sb HEUR:Trojan.Win64.SBEscape.pef Trojan-PSW.Win32.Rhadamanthys.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c417c691-3417-488d-801f-cacbd1452a46
Result
Threat name:
Coinhive, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780973
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Downloads suspicious files via Chrome
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Coinhive miner
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780973 Sample: Sakur#U0430Menu.exe Startdate: 19/09/2025 Architecture: WINDOWS Score: 100 100 time.facebook.com 2->100 102 time.cloudflare.com 2->102 104 5 other IPs or domains 2->104 130 Antivirus detection for URL or domain 2->130 132 Antivirus detection for dropped file 2->132 134 Antivirus / Scanner detection for submitted sample 2->134 136 11 other signatures 2->136 12 Sakur#U0430Menu.exe 2->12         started        15 msedge.exe 104 486 2->15         started        19 svchost.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 dnsIp5 156 Query firmware table information (likely to detect VMs) 12->156 158 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->158 160 Found many strings related to Crypto-Wallets (likely being stolen) 12->160 166 3 other signatures 12->166 23 OpenWith.exe 12->23         started        128 239.255.255.250 unknown Reserved 15->128 90 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 15->90 dropped 92 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 15->92 dropped 162 Maps a DLL or memory area into another process 15->162 27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        35 3 other processes 15->35 164 Changes security center settings (notifications, updates, antivirus, firewall) 19->164 33 MpCmdRun.exe 19->33         started        file6 signatures7 process8 dnsIp9 112 openai-diversifies-with-ai.com 2.58.56.225, 49692, 6343 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 23->112 114 cloudflare-dns.com 104.16.248.249, 443, 49691, 49733 CLOUDFLARENETUS United States 23->114 148 Query firmware table information (likely to detect VMs) 23->148 150 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 23->150 152 Deletes itself after installation 23->152 154 3 other signatures 23->154 37 dllhost.exe 8 23->37         started        116 23.213.34.73 NTT-COMMUNICATIONS-2914US United States 27->116 118 s-part-0042.t-0009.fb-t-msedge.net 13.107.253.70, 443, 49713, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->118 120 12 other IPs or domains 27->120 42 conhost.exe 33->42         started        signatures10 process11 dnsIp12 106 openai-diversifies-with-ai.com 37->106 108 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 37->108 110 7 other IPs or domains 37->110 94 C:\Users\user\AppData\Local\...\X}W`e.exe, PE32+ 37->94 dropped 96 C:\Users\user\AppData\Local\...\7Ba$4%i(x.exe, PE32+ 37->96 dropped 140 System process connects to network (likely due to code injection or exploit) 37->140 142 Early bird code injection technique detected 37->142 144 Found many strings related to Crypto-Wallets (likely being stolen) 37->144 146 3 other signatures 37->146 44 7Ba$4%i(x.exe 37->44         started        48 chrome.exe 1 37->48         started        50 msedge.exe 14 37->50         started        52 chrome.exe 37->52         started        file13 signatures14 process15 file16 98 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 44->98 dropped 168 Antivirus detection for dropped file 44->168 170 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 44->170 172 Query firmware table information (likely to detect VMs) 44->172 174 5 other signatures 44->174 54 powershell.exe 44->54         started        57 cmd.exe 44->57         started        59 sc.exe 44->59         started        68 8 other processes 44->68 61 chrome.exe 48->61         started        64 chrome.exe 48->64         started        66 msedge.exe 50->66         started        signatures17 process18 dnsIp19 138 Loading BitLocker PowerShell Module 54->138 70 conhost.exe 54->70         started        72 WmiPrvSE.exe 54->72         started        74 net.exe 57->74         started        76 conhost.exe 57->76         started        78 conhost.exe 59->78         started        122 142.250.69.161, 443, 49706 GOOGLEUS United States 61->122 124 127.0.0.1 unknown unknown 61->124 126 3 other IPs or domains 61->126 80 conhost.exe 68->80         started        82 conhost.exe 68->82         started        84 conhost.exe 68->84         started        86 5 other processes 68->86 signatures20 process21 process22 88 net1.exe 74->88         started       
Score:
54%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/51d6abcde02ae7fff8aa074e8dc84956
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-19 19:33:57 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
29 of 38 (76.32%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vc42zse3pgmzvsp7sqkvw3iebnlbgtken5wksng4aaforqe4t2oa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys defense_evasion discovery stealer themida trojan
Link:
https://tria.ge/reports/250919-yamglsxqv9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1a29b30f-9fc6-4a4f-a3f4-cf7e8552c9f4
Unpacked files
SH256 hash:
a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
MD5 hash:
51d6abcde02ae7fff8aa074e8dc84956
SHA1 hash:
206dfb59df0a00816276045f47b1c22d488b6e2f
Link:
https://www.unpac.me/results/de631197-0702-4c36-8b49-4b9299a0bfbe/
SH256 hash:
45da0d669cbb6055d34f089518f93363ad8d9428ccc05bda4d3b5bde212a3678
MD5 hash:
3ef8a1a22fcc2f959ee5bf6109841ca8
SHA1 hash:
a629bd60bcdc052162fb701199090d75fe9af238
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/de631197-0702-4c36-8b49-4b9299a0bfbe/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a8b9acc89b79/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28388/

Comments