MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb
SHA3-384 hash: 3770383b91c9e4e060ed5247793ae0b61374e3958a872d24e67282e8f9674491eed9ff8cd7d9058bd7c043db81bce984
SHA1 hash: af76f08183d58ec40d1d121bcab37567809a2063
MD5 hash: 7cce4f9dc5ae76b66874193fa8472ebc
humanhash: arizona-gee-august-music
File name:random.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'093'056 bytes
First seen:2025-04-25 08:48:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep 49152:zwjlc5nWECb6la6hYPBtaey9XpxvQvGh+DHt6sNhei/YynM:z75nZlNYbaeKXUGh+Tt7NUiFM
TLSH T127A533715DC468F0C85905B34983CB8B7F3DDE68508E526B085361AD246BBE07FFAE68
TrID 29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
22.7% (.EXE) Win16 NE executable (generic) (5038/12/1)
20.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.1% (.EXE) OS/2 Executable (generic) (2029/13)
9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 926b23534d61338c (51 x Rhadamanthys)
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
423
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
a239f041983d2fe23a17b3df98cac2b6.exe
Verdict:
Malicious activity
Analysis date:
2025-04-25 06:03:40 UTC
Tags:
lumma stealer themida loader amadey botnet rdp github rhadamanthys telegram miner winring0x64-sys vuln-driver
Link:
https://app.any.run/tasks/44838b0d-1610-48e2-b98c-7c5a98890443

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/4038/
Detection(s):
SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=680b504da37ff28e12999b4d
Tags:
vmdetect virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for analyzing tools
Launching a process
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Connection attempt
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm entropy microsoft_visual_cc packed packed packer_detected rat virtual
Link:
https://www.filescan.io/uploads/680b4c8546fe05453ca6f224/reports/2ebab671-0e89-4da0-abe1-4cd2379a5f1f/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/2a663b2d-8944-460f-a14d-15b792cd25ff
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1673973
Signature
C2 URLs / IPs found in malware configuration
Detected unpacking (changes PE section rights)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb/
Threat name:
Win32.Infostealer.Tinba
Create hunting rule
Status:
Malicious
First seen:
2025-04-25 08:49:19 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wm3aszet7bemgzoa23mqhvwa5vwrb2nmawp2kcsn64wounwl5t5q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/250425-kq45ps11hx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks BIOS information in registry
Identifies Wine through registry keys
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3464a8d5-3f7b-47ff-ab12-1962b58f5367
Unpacked files
SH256 hash:
b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb
MD5 hash:
7cce4f9dc5ae76b66874193fa8472ebc
SHA1 hash:
af76f08183d58ec40d1d121bcab37567809a2063
Link:
https://www.unpac.me/results/f46ed194-2454-4d62-b4ee-2848434505f5/
SH256 hash:
9c4607a96551a53d7091801dccb426ee01cb10b32c0606bd29fbc491a77f1b39
MD5 hash:
fe10eff1703046c41faad0aa3749db0c
SHA1 hash:
2621d056349c13fba5831cd3646863033a616600
Link:
https://www.unpac.me/results/f46ed194-2454-4d62-b4ee-2848434505f5/
SH256 hash:
15de6a5ffd7c4de16e922f2c7c1ae667a3df4ad78f887736894508859111ce5c
MD5 hash:
b0fda768f570b4e9baae6c86073ce077
SHA1 hash:
5d8d3d706856f261ca6524ae368476d83ae69bff
Link:
https://www.unpac.me/results/f46ed194-2454-4d62-b4ee-2848434505f5/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b336096493f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe b336096493f848c365c0d6d903d6c0ed6d10e9ac059fa50a4df72cea36cbecfb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3522987/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/4038/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_NXMissing Non-Executable Memory Protectioncritical

Comments