MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c
SHA3-384 hash: 5b2dc6b0645ea4d86c25e4fa698dea9951f7a27f5ad2a3c99ae3e4ca45c7724d308280e95ea22c7ed1446a843b97c3f1
SHA1 hash: c408510fff6815ad8999af13579993131872d6b1
MD5 hash: f1e72a686f114183e7befd57c08722d3
humanhash: march-cup-delta-bakerloo
File name:Installer.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'050'376 bytes
First seen:2025-09-22 18:45:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 979d4d3c19bd1d7e944b1ba868d6cce7 (24 x Rhadamanthys)
ssdeep 49152:J9LN5SQR4eiBeiJg92aaTCGhVOF6d26GmqZw7exg3c:JpbTR4Z5JoaJHA6E6+xgM
TLSH T137E5001FD94869D2C67193B32880915C8D2DBC2F7E10C65D669EBE33C73118B9A6C2BD
TrID 32.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
28.9% (.EXE) Win32 Executable (generic) (4504/4/1)
13.0% (.EXE) OS/2 Executable (generic) (2029/13)
12.8% (.EXE) Generic Win/DOS Executable (2002/3)
12.8% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:178-16-53-236 exe openai-diversifies-with-ai-com Rhadamanthys


Avatar
iamaachum
https://www.youtube.com/watch?v=t9-PN81_si0 => https://app.mediafire.com/folder/l35ds72x0o2t0

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Installer.exe
Verdict:
Malicious activity
Analysis date:
2025-09-22 18:49:59 UTC
Tags:
anti-evasion rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/da66a7b3-b0c8-47e3-a09c-3dc4a6c25043

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28595/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d1996c72187e372c388784
Tags:
obfusc crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for analyzing tools
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
Sending a custom TCP request
DNS request
Connection attempt
Sending a UDP request
Unauthorized injection to a system process
Connection attempt to an infection source
Sending a TCP request to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
crypt invalid-signature microsoft_visual_cc obfuscated obfuscated packed packed packer_detected rhadamanthys signed themidawinlicense threat xpack
Link:
https://www.filescan.io/uploads/68d19a7d254431b688d9b521/reports/5877ff35-34b4-4bde-89ff-46ec66573685/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-20T16:09:00Z UTC
Last seen:
2025-09-20T16:09:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Crypt.sb HEUR:Trojan.Win64.SBEscape.pef Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb
Link:
https://opentip.kaspersky.com/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/ae19bf3e-32ce-4d4c-9f96-6612fa629323
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1782239
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Drops PE files with benign system names
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1782239 Sample: Installer.exe Startdate: 22/09/2025 Architecture: WINDOWS Score: 100 96 x.ns.gin.ntt.net 2->96 98 twc.trafficmanager.net 2->98 100 8 other IPs or domains 2->100 132 Antivirus detection for URL or domain 2->132 134 Antivirus detection for dropped file 2->134 136 Antivirus / Scanner detection for submitted sample 2->136 138 9 other signatures 2->138 12 Installer.exe 2->12         started        15 msedge.exe 2->15         started        19 svchost.exe 2->19         started        21 10 other processes 2->21 signatures3 process4 dnsIp5 168 Query firmware table information (likely to detect VMs) 12->168 170 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->170 172 Found many strings related to Crypto-Wallets (likely being stolen) 12->172 176 3 other signatures 12->176 23 OpenWith.exe 12->23         started        124 192.168.2.25 unknown unknown 15->124 126 192.168.2.8, 443, 49681, 49682 unknown unknown 15->126 128 239.255.255.250 unknown Reserved 15->128 86 C:\Users\user\AppData\...\widevinecdm.dll, PE32+ 15->86 dropped 27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        174 Changes security center settings (notifications, updates, antivirus, firewall) 19->174 file6 signatures7 process8 dnsIp9 108 openai-diversifies-with-ai.com 178.16.53.243, 49701, 6343 DUSNET-ASDE Germany 23->108 110 cloudflare-dns.com 104.16.249.249, 443, 49700, 49743 CLOUDFLARENETUS United States 23->110 148 Query firmware table information (likely to detect VMs) 23->148 150 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 23->150 152 Deletes itself after installation 23->152 154 3 other signatures 23->154 35 dllhost.exe 8 23->35         started        112 s-part-0042.t-0009.t-msedge.net 13.107.246.70, 443, 49735, 49736 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->112 114 s-part-0042.t-0009.fb-t-msedge.net 13.107.253.70, 443, 49728, 49739 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->114 116 11 other IPs or domains 27->116 signatures10 process11 dnsIp12 102 openai-diversifies-with-ai.com 35->102 104 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 35->104 106 8 other IPs or domains 35->106 88 C:\Users\user\AppData\Local\...\rH{Lh{b-.exe, PE32+ 35->88 dropped 90 C:\Users\user\AppData\...\Y07{3PP9uP.exe, PE32+ 35->90 dropped 140 System process connects to network (likely due to code injection or exploit) 35->140 142 Early bird code injection technique detected 35->142 144 Found many strings related to Crypto-Wallets (likely being stolen) 35->144 146 3 other signatures 35->146 40 rH{Lh{b-.exe 35->40         started        44 Y07{3PP9uP.exe 35->44         started        46 chrome.exe 1 35->46         started        48 2 other processes 35->48 file13 signatures14 process15 file16 92 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 40->92 dropped 156 Multi AV Scanner detection for dropped file 40->156 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 40->158 160 Query firmware table information (likely to detect VMs) 40->160 166 4 other signatures 40->166 50 powershell.exe 40->50         started        53 cmd.exe 40->53         started        55 sc.exe 40->55         started        64 9 other processes 40->64 94 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 44->94 dropped 162 Queries memory information (via WMI often done to detect virtual machines) 44->162 164 Drops PE files with benign system names 44->164 57 chrome.exe 46->57         started        60 chrome.exe 46->60         started        62 msedge.exe 48->62         started        signatures17 process18 dnsIp19 130 Loading BitLocker PowerShell Module 50->130 66 conhost.exe 50->66         started        68 WmiPrvSE.exe 50->68         started        70 net.exe 53->70         started        72 conhost.exe 53->72         started        74 conhost.exe 55->74         started        118 googlehosted.l.googleusercontent.com 142.250.73.97, 443, 49713, 49714 GOOGLEUS United States 57->118 120 127.0.0.1 unknown unknown 57->120 122 clients2.googleusercontent.com 57->122 76 conhost.exe 64->76         started        78 conhost.exe 64->78         started        80 conhost.exe 64->80         started        82 6 other processes 64->82 signatures20 process21 process22 84 net1.exe 70->84         started       
Score:
36%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/f1e72a686f114183e7befd57c08722d3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-21 11:27:00 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
28 of 38 (73.68%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wc2ivkkwrnwrjdgrjgai2qiao3nmlp775epoa6wlsezxpkdp4qwa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys defense_evasion discovery stealer themida trojan
Link:
https://tria.ge/reports/250922-xezr3awzcz/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Checks BIOS information in registry
Deletes itself
Themida packer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/73175b35-3a5a-4cf0-91b6-fe717349e871
Unpacked files
SH256 hash:
b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c
MD5 hash:
f1e72a686f114183e7befd57c08722d3
SHA1 hash:
c408510fff6815ad8999af13579993131872d6b1
Link:
https://www.unpac.me/results/84e4c0b9-6ced-41dd-9f5f-fa68816e7036/
SH256 hash:
a9fcfa5ee948bba07d2fedc0012fd24055934cc7555a178fb9a8ce600aebde5c
MD5 hash:
704977489c7f1d1d3b0f85a1125e41b2
SHA1 hash:
1c78e77e7eed68b8cd546ea66b95f7eaa8a0690c
Detections:
INDICATOR_EXE_Packed_Themida
Create hunting rule
Link:
https://www.unpac.me/results/84e4c0b9-6ced-41dd-9f5f-fa68816e7036/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b0b48aa9568b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:INDICATOR_EXE_Packed_Themida
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with Themida
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe b0b48aa9568b6d148cd149808d410076dac5bfffe91ee07acb913377a86fe42c

(this sample)

  
Link
https://tria.ge/250922-w8jr9swyby/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28595/

Comments