MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf
SHA3-384 hash: 4f02d5cfe799e0fa1c234b0a274925caed2d013c8cbdb5cab88deea8512ad9316bcb9363d66211d155a51ac3183e726f
SHA1 hash: cb7a967403e4d364121ceca87e6c64f67b811f03
MD5 hash: 19d57e03e2f9d5da05a8f6edd5eb1e95
humanhash: carolina-grey-whiskey-papa
File name:19d57e03e2f9d5da05a8f6edd5eb1e95.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'842'176 bytes
First seen:2025-03-13 07:03:43 UTC
Last seen:2025-03-14 09:18:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:OqAEKzzJuGKGkpYrsPEvH1AXCL4ZS/l9y5AYQgVi:r7KJuGjJPlIuYQ
Threatray 223 similar samples on MalwareBazaar
TLSH T14B85383439EA502AB173EFA98BE475EADA6FB7733B03645D109103864723A81DDC153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
3
# of downloads :
372
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
19d57e03e2f9d5da05a8f6edd5eb1e95.exe
Verdict:
Malicious activity
Analysis date:
2025-03-13 07:18:15 UTC
Tags:
rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/bb6918f9-1b3c-47ea-98b3-5c4ed750b1c9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d28db13962f1a6f470b832
Tags:
virus micro msil
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Unauthorized injection to a recently created process
Creating a window
Creating a file in the %AppData% subdirectories
Unauthorized injection to a system process
Stealing user critical data
Enabling autorun by creating a file
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
obfuscated
Link:
https://www.filescan.io/uploads/67d28369e95d0f9029e89d60/reports/20e548d2-a558-4bb4-af5c-74efe9168001/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/00fb553b-a7f4-49dd-9162-a28e3bac2081
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1636852
Signature
.NET source code contains very large strings
Antivirus / Scanner detection for submitted sample
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf/
Threat name:
Win32.Trojan.BotX
Create hunting rule
Status:
Malicious
First seen:
2025-03-10 06:11:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
28 of 38 (73.68%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vvxdshdbcah3sl4k2vwzlwcljtlpbdykewgq754xplqkopuod2xq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
donut_injector
Create hunting rule
Similar samples:
00b1dbb467fd9362fd4f5a3e76ef16f3b4abe4fb620e62aa00a7bdae67c0042a
Rhadamanthys
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1
Rhadamanthys
a6e44787ce9ccbcf4b60bb74db99a6f1954b0404f42de69b7b3294a3597e2848
Rhadamanthys
a88c153e1595f9d193b3f881ec77e0d7d338ae22c9f6e67ffdf39c3609fcdbf7
Rhadamanthys
b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Rhadamanthys
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
Rhadamanthys
e2f944cbcda22e6fd727f93514d11a7885f4bae6c6c5f33630e737b7c861907e
Rhadamanthys
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Rhadamanthys
error
Rhadamanthys
+ 213 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250313-hvz1faznv8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e591904d-50f3-486d-9fd2-9932ea96aeed
Unpacked files
SH256 hash:
ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf
MD5 hash:
19d57e03e2f9d5da05a8f6edd5eb1e95
SHA1 hash:
cb7a967403e4d364121ceca87e6c64f67b811f03
Link:
https://www.unpac.me/results/f6f7f0cc-7311-48bf-9afb-534666bf0c1f/
SH256 hash:
08efeab4edd8948be3ffe4eeed489b00e871164a7a1ff43a887c9eb7cd7f52c7
MD5 hash:
5074258014dd60dce155acd36b80e1e3
SHA1 hash:
68912ff253458ebddd179b4a6b6d2d5e19f70819
Link:
https://www.unpac.me/results/f6f7f0cc-7311-48bf-9afb-534666bf0c1f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe ad6e391c61100fb92f8ad56d95d84b4cd6f08f0a258d0ff7977ae0a73e8e1eaf

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3475690/
  
Delivery method
Distributed via web download

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments