MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 24 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a
SHA3-384 hash: 68ae16de9f1577d9cb23eed3882cd3f8c299d8c676cc86f1844eb667c9448ea0771ab950e9c70faff30dea3dc0dd7771
SHA1 hash: c0cc2273ac7cdca8a5ed3956b838a0927c0b36ee
MD5 hash: c0f6847b5ddb86aa0093ba6f8bc6f221
humanhash: steak-island-lima-rugby
File name:c0f6847b5ddb86aa0093ba6f8bc6f221.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:12'350'249 bytes
First seen:2025-09-11 14:57:40 UTC
Last seen:2025-09-11 16:17:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4b1892ce4fbcfcf064c6f69d693fc6a5 (10 x Rhadamanthys, 4 x AgentTesla, 3 x QuasarRAT)
ssdeep 98304:6JCe0hK3jlrqm/hrT8ym16ijkeqlGpALD3ajzvCB7Nyp6TsHJLDYXOnlI3:e0E3pxFTTmYicGoc47NA6gJLDYXKlI3
Threatray 331 similar samples on MalwareBazaar
TLSH T14FC6AD12E2FD01E8E5BBC178C667551BE7B27855132097DF52A08A692F23FE06E3D321
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
3
# of downloads :
107
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c0f6847b5ddb86aa0093ba6f8bc6f221.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 15:00:18 UTC
Tags:
auto-reg loader anti-evasion stealer
Link:
https://app.any.run/tasks/b088dfee-b954-40a4-a69d-0086902a8c33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26948/
Detection(s):
SecuriteInfo.com.Trojan.Siggen31.55323.32254.26407.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c2e39fb20052598879d223
Tags:
downloader dropper spoof virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Connection attempt
Sending an HTTP GET request
Creating a file
Sending a custom TCP request
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Launching a process
Launching a file downloaded from the Internet
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/68c2e392dbc6f5a29c4038b7/reports/65df5d16-6bef-443f-9c1d-74f6503679f6/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-11T07:34:00Z UTC
Last seen:
2025-09-11T07:34:00Z UTC
Hits:
~100
Detections:
Trojan.Win64.Agentb.sb Trojan.Win32.Strab.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb PDM:Trojan.Win32.Generic Trojan.Win32.Shellcode.fdx
Link:
https://opentip.kaspersky.com/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ba56b2d4-b269-4b32-a22d-e152a93ef00a
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775734
Signature
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Found API chain indicative of debugger detection
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Found stalling execution ending in API Sleep call
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses known network protocols on non-standard ports
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1775734 Sample: Fy8nbV92Ku.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus detection for dropped file 2->68 70 5 other signatures 2->70 8 Fy8nbV92Ku.exe 5 2->8         started        11 DataSyncHost.exe 1 2->11         started        13 DataSyncHost.exe 1 2->13         started        process3 file4 52 C:\Users\user\AppData\Local\...\ty4ahmqn.exe, PE32+ 8->52 dropped 54 C:\Users\user\AppData\Local\...\njkujys5.exe, PE32+ 8->54 dropped 15 ty4ahmqn.exe 15 8->15         started        20 njkujys5.exe 15 8->20         started        22 conhost.exe 8->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        process5 dnsIp6 58 176.46.152.62, 49692, 49693, 49694 ESTPAKEE Iran (ISLAMIC Republic Of) 15->58 42 C:\Users\user\AppData\Local\...\nbgtpasrg.exe, PE32 15->42 dropped 44 d894235f6aac4a15b4...rypted_build[1].exe, PE32 15->44 dropped 60 Multi AV Scanner detection for dropped file 15->60 62 Found API chain indicative of debugger detection 15->62 28 nbgtpasrg.exe 16 15->28         started        46 C:\Users\user\AppData\Local\...\nbgtpasrg.exe, PE32+ 20->46 dropped 48 90129a48641c4917b0...ee45ba_miner[1].exe, PE32+ 20->48 dropped 32 nbgtpasrg.exe 1 3 20->32         started        file7 signatures8 process9 dnsIp10 56 62.60.158.10 IROST-ASIR Iran (ISLAMIC Republic Of) 28->56 74 Antivirus detection for dropped file 28->74 76 Multi AV Scanner detection for dropped file 28->76 78 Found stalling execution ending in API Sleep call 28->78 80 4 other signatures 28->80 35 conhost.exe 28->35         started        50 C:\Users\user\AppData\...\DataSyncHost.exe, PE32+ 32->50 dropped 37 DataSyncHost.exe 1 32->37         started        40 conhost.exe 32->40         started        file11 signatures12 process13 signatures14 72 Multi AV Scanner detection for dropped file 37->72
Score:
58%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a
Verdict:
inconclusive
YARA:
9 match(es)
Tags:
.Net Executable Html Javascript in Html PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/c0f6847b5ddb86aa0093ba6f8bc6f221
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a/
Verdict:
Malicious
Threat:
Family.DONUTLOADER
Link:
https://tip.neiki.dev/file/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-11 09:25:52 UTC
File Type:
PE+ (Exe)
Extracted files:
15
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vg5e3qzp3shdjmx7n7okynq7ds43dtrfri2dmew5mn4kkabhqn5a._file
Verdict:
malicious
Label(s):
donut_injector
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
17d651beb2f137db26ef7821e8e4648d3065146aa54340d2962c295cff4510b8
Rhadamanthys
252918aaa98f25a1cc128e8eebb27905ded606d4eb04285abbf5344ff51947ba
Rhadamanthys
30235049839cd3ddfb7e50e8a58f3d0c2a5dffaa632c671a97de12ed1dfa6a06
Rhadamanthys
556d8ed53e1015b4d40383198e5a787e022fa26dc132820fc053e55ec28317b7
Rhadamanthys
5e9608025e253bd0ab486f0428d71d998fb53eba50c4ca87f70c33518d96c6bc
Rhadamanthys
ab24248296df1b0044a98cf250b65ec40adeb9b1ff4db9c3ee7e675985b4c4c5
Rhadamanthys
c9b7aa7a67392dd4537f636d4791e75984d3862280c301c9ca0f91424f64972c
Rhadamanthys
error
Rhadamanthys
+ 321 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:donutloader family:rhadamanthys discovery loader stealer
Link:
https://tria.ge/reports/250911-scd1csfk5s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Downloads MZ/PE file
Detects DonutLoader
Detects Rhadamanthys Payload
DonutLoader
Donutloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c9b0353d-31a1-46bf-bd69-fff6212f6fad
Unpacked files
SH256 hash:
33c75708915a4da1096034f04b5531a5985ce1188a73d3b98135ba1804c217a9
MD5 hash:
abedfa6a0db84fec68715015f7f6475b
SHA1 hash:
1671484c3714d37212760b4cd0ff43a8bd5fc344
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
c9e2f9f04aded97ac6902991397dd78f17b651d08dc5f29d8e889dbd5c02746c
MD5 hash:
85702891b04babe57938cd3b7b4633f2
SHA1 hash:
714cca53fc171a812fc45813057ad7753d2cc678
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
37bead9a87d704618ad1f507d833d311a914afd166fa7db526a5d3885f6f8ad4
MD5 hash:
c5b656dec98ffc25c33ebd44773ecdea
SHA1 hash:
bf1783dec6d0aae1c2c9a73e5aa3596fd0c4e942
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
4f56c74032b71f5e523667f0cad97de31aefb53fd1b7f4c886a7a99fe2407a30
MD5 hash:
712ce730f96f8d5b1e5d8b4b41eca6aa
SHA1 hash:
37cf3a2307d7d84b70528ca71005fc04fb56bdd2
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
b910006cea197f661c19638e3b2c8cc6033e13cb87c91e6fd7e4b59b9e3ab335
MD5 hash:
71867d25f47d64416c00b201aa34961a
SHA1 hash:
2b837fc662c757c9b91a9fb8893498b08414ce1c
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
c05d685863850917187b7282aa9739b23d5b967cac411c1fbe122b13a24ce5fa
MD5 hash:
ba95de25f100739f3b28e0b80165e643
SHA1 hash:
e8b992ad23e4fac1698a530d835fd086a80cf238
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
0a486961e28607878bff2c9b7dd12ec6a45cebbb9adc4a7e2eb6714d118be1ed
MD5 hash:
bf2d16b484171f5a240eebd79c2b6b46
SHA1 hash:
744f8cc86880e35cd5534dee4b928d54bc6f2957
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
b785b5c9614deb53d722be38cfa949d5b0bc360d105c4d53a1be4f648324892c
MD5 hash:
c683830ecc56a96cf9047f4ea19904e1
SHA1 hash:
8f57bb573a537bc29bf6387474c57252b965dbeb
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
SH256 hash:
a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a
MD5 hash:
c0f6847b5ddb86aa0093ba6f8bc6f221
SHA1 hash:
c0cc2273ac7cdca8a5ed3956b838a0927c0b36ee
Link:
https://www.unpac.me/results/2689ffae-e263-4b31-81b6-5022e646cba1/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a9ba4dc32fdc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:adonunix2
Create hunting rule
Author:Tim Brown @timb_machine
Description:AD on UNIX
Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__MemoryWorkingSet
Create hunting rule
Author:Fernando Mercês
Description:Anti-debug process memory working set size check
Reference:http://www.gironsec.com/blog/2015/06/anti-debugger-trick-quicky/
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:ducktail
Create hunting rule
Author:Michelle Khalil
Description:This rule detects unpacked ducktail malware samples.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:Jupyter_infostealer
Create hunting rule
Author:CD_R0M_
Description:Rule for Jupyter Infostealer/Solarmarker malware from september 2021-December 2022
Rule name:Lumma_Stealer_Detection
Create hunting rule
Author:ashizZz
Description:Detects a specific Lumma Stealer malware sample using unique strings and behaviors
Reference:https://seanthegeek.net/posts/compromized-store-spread-lumma-stealer-using-fake-captcha/
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:reverse_http
Create hunting rule
Author:CD_R0M_
Description:Identify strings with http reversed (ptth)
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:test_Malaysia
Create hunting rule
Author:rectifyq
Description:Detects file containing malaysia string
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe a9ba4dc32fdc8e34b2ff6fdcac361f1cb9b1ce258a343612dd6378a50027837a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3621936/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/26948/

Comments