MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057
SHA3-384 hash: a36dda60e399090e0fdf8fa1761b37f06c7e18c5833845efccd45714191f677ee3bf479bd5fe8f5afd44f4e2505c434f
SHA1 hash: 0eb0de2a61d21c73e0f946280f85978b8045709d
MD5 hash: a96da833d9a32d5fe1da8fb1b0f15d63
humanhash: vegan-william-whiskey-zebra
File name:li.mkv.hta
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'236 bytes
First seen:2025-09-16 19:24:40 UTC
Last seen:Never
File type:HTML Application (hta) hta
MIME type:text/html
ssdeep 48:hr7jE9WR2177SZLr7ScyDVFjx1703yJcQNY0hvETYwvQwNV2lAC7:J7mww7SZVyDVFjx170CJcZ0Z45B2ll
TLSH T160416B7590707E808B6C3B50137B39B90170A0A79725CB12EB4408F235BAFF6FE656E9
Magika html
Reporter aachum
Tags:185-141-216-98 ClickFix FakeCaptcha hta Rhadamanthys


Avatar
iamaachum
https://pub-1437548a322d4c35be5299d258f652b9.r2.dev/BE15SEQPHGDJ72Jksd623N-G00gle-C%40ptcha-15-2.html => http://202.71.14.75/li.mkv

Intelligence

File Origin
# of uploads :
1
# of downloads :
318
Origin country :
ES ES
Vendor Threat Intelligence
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c9ba29d49ea3f1e4b69655
Tags:
ransomware obfuscate xtreme
Result
Verdict:
Malicious
File Type:
HTA File - Malicious
Link:
https://app.docguard.net/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057/results/dashboard
Behaviour
BlacklistAPI detected
Verdict:
Malicious
Labled as:
Exploit.HTML
Link:
https://www.hybrid-analysis.com/sample/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057
Verdict:
Malicious
File Type:
html
First seen:
2025-09-16T06:44:00Z UTC
Last seen:
2025-09-16T06:44:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1778805
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Encrypted powershell cmdline option found
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Powershell drops PE file
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1778805 Sample: li.mkv.hta Startdate: 16/09/2025 Architecture: WINDOWS Score: 100 29 diravo.com 2->29 41 Found malware configuration 2->41 43 Antivirus detection for URL or domain 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 6 other signatures 2->47 9 mshta.exe 2->9         started        signatures3 process4 signatures5 49 Encrypted powershell cmdline option found 9->49 12 powershell.exe 15 19 9->12         started        process6 dnsIp7 33 diravo.com 104.21.73.245, 443, 49689 CLOUDFLARENETUS United States 12->33 27 C:\Users\user\AppData\Local\...\eutropic.exe, PE32+ 12->27 dropped 51 Powershell drops PE file 12->51 17 eutropic.exe 12->17         started        20 OpenWith.exe 12->20         started        23 conhost.exe 12->23         started        file8 signatures9 process10 dnsIp11 35 Multi AV Scanner detection for dropped file 17->35 37 Potentially malicious time measurement code found 17->37 31 185.141.216.98, 443, 49690 GSWIFTTR Turkey 20->31 39 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->39 25 WerFault.exe 2 20->25         started        signatures12 process13
Score:
94%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Base64 Block Contains Base64 Block Html PowerShell
Link:
https://app.malva.re/file/a96da833d9a32d5fe1da8fb1b0f15d63
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057/
Threat name:
Document-HTML.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 17:18:57 UTC
File Type:
Text (HTML)
Extracted files:
1
AV detection:
6 of 24 (25.00%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=v7a6egya6xkfzznftlk64ao2z5hndfm6chaxzs6i2nceg5zc4blq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250916-x5mv7axqt3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Executes dropped EXE
Badlisted process makes network request
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

HTML Application (hta) hta afc1e21b00f5d45ce5a59ad5ee01dacf4ed1959e11c17ccbc8d344437722e057

(this sample)

Rhadamanthys

Executable exe d99f5dd0397a316ee7d28af1e8f5e5c558cacf00d3d21b10ef8135c94c9e3034

  
Link
https://tria.ge/250916-xy2e1ahk8s/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 d99f5dd0397a316ee7d28af1e8f5e5c558cacf00d3d21b10ef8135c94c9e3034
  
Dropping
MD5 609db88b10dfd7d51a6a4f3f335557f0

Comments