MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
SHA3-384 hash: 17d4d2ce688cf23bb7bde252bbe2d8bda6e369690a9a97ba152d50cb1e0323b6ae5a7d99962682e460dc4d42a6deb307
SHA1 hash: 2ab5c40198e37fdf6ac36a15151de8ac89ffdd53
MD5 hash: fb10901af737f27bd609657a20a974ba
humanhash: vegan-mississippi-virginia-diet
File name:LuxuryLoader.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'146'184 bytes
First seen:2025-08-01 19:52:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e07647ab48d4be367afc7221135c1e04 (12 x Rhadamanthys)
ssdeep 196608:vhFDVBUFYnAFwAku/yMQw+s78taxAgRNn6bCKPZtL6s9nz2v5XQIn4xezp5Ml/XZ:ZFVjZ6/yMlCER4pLVCXQkJg
TLSH T1C3A6338709FB51F4DEC12570C52B6FCB37F245A64D808D34BBC5388ADA91FA7A06A907
TrID 28.5% (.EXE) Win64 Executable (generic) (10522/11/4)
17.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
13.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.2% (.EXE) Win32 Executable (generic) (4504/4/1)
5.6% (.EXE) Win16/32 Executable Delphi generic (2072/23)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
48
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
LuxuryLoader.exe
Verdict:
Malicious activity
Analysis date:
2025-08-01 19:52:12 UTC
Tags:
rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/42c97428-53d4-41c3-87e6-45d854cdb393

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18371/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688d1aed0b4775fb2134c396
Tags:
injection escape virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
DNS request
Connection attempt
Sending a custom TCP request
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature overlay packed signed
Link:
https://www.filescan.io/uploads/688d1b0473b8ef6f4afa5aa0/reports/ed278393-f9d7-4ff9-b799-a709718be65a/overview
Verdict:
Malicious
Labled as:
Kelios.Generic
Link:
https://www.hybrid-analysis.com/sample/b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/9219dc5f-befe-4fe2-89b8-4ece136bf97f
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748748
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748748 Sample: LuxuryLoader.exe Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 104 x.ns.gin.ntt.net 2->104 106 ts1.aco.net 2->106 108 8 other IPs or domains 2->108 148 Multi AV Scanner detection for submitted file 2->148 150 Yara detected RHADAMANTHYS Stealer 2->150 152 Yara detected Xmrig cryptocurrency miner 2->152 154 6 other signatures 2->154 12 LuxuryLoader.exe 2->12         started        15 svchost.exe 2->15         started        17 msedge.exe 2->17         started        20 11 other processes 2->20 signatures3 process4 dnsIp5 176 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->176 178 Found many strings related to Crypto-Wallets (likely being stolen) 12->178 180 Switches to a custom stack to bypass stack traces 12->180 22 OpenWith.exe 12->22         started        182 Changes security center settings (notifications, updates, antivirus, firewall) 15->182 100 239.255.255.250 unknown Reserved 17->100 26 msedge.exe 17->26         started        28 msedge.exe 17->28         started        30 msedge.exe 17->30         started        32 msedge.exe 17->32         started        102 127.0.0.1 unknown unknown 20->102 34 conhost.exe 20->34         started        36 schtasks.exe 20->36         started        signatures6 process7 dnsIp8 110 nexus-cloud-360.com 22->110 112 185.141.216.120, 1888, 49701 GSWIFTTR Turkey 22->112 114 cloudflare-dns.com 104.16.248.249, 443, 49700, 49746 CLOUDFLARENETUS United States 22->114 156 Query firmware table information (likely to detect VMs) 22->156 158 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 22->158 160 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->160 162 4 other signatures 22->162 38 dllhost.exe 8 22->38         started        43 chrome.exe 22->43         started        45 chrome.exe 22->45         started        116 192.168.2.8, 1888, 443, 49673 unknown unknown 26->116 118 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49725, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->118 120 9 other IPs or domains 26->120 signatures9 process10 dnsIp11 122 nexus-cloud-360.com 38->122 124 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 38->124 132 9 other IPs or domains 38->132 92 C:\Users\user\AppData\Local\...\}Cl.exe, PE32+ 38->92 dropped 94 C:\Users\user\AppData\Local\...\5oA4.exe, PE32 38->94 dropped 164 System process connects to network (likely due to code injection or exploit) 38->164 166 Early bird code injection technique detected 38->166 168 Found many strings related to Crypto-Wallets (likely being stolen) 38->168 170 3 other signatures 38->170 47 }Cl.exe 38->47         started        51 5oA4.exe 38->51         started        53 setup_wm.exe 38->53         started        55 3 other processes 38->55 126 142.251.41.1, 443, 49716 GOOGLEUS United States 43->126 128 googlehosted.l.googleusercontent.com 43->128 130 clients2.googleusercontent.com 43->130 file12 signatures13 process14 file15 96 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 47->96 dropped 134 Query firmware table information (likely to detect VMs) 47->134 136 Modifies windows update settings 47->136 138 Adds a directory exclusion to Windows Defender 47->138 146 2 other signatures 47->146 57 cmd.exe 47->57         started        60 powershell.exe 47->60         started        62 sc.exe 47->62         started        70 3 other processes 47->70 98 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 51->98 dropped 140 Antivirus detection for dropped file 51->140 64 cmd.exe 51->64         started        66 cmd.exe 51->66         started        142 Writes to foreign memory regions 53->142 144 Allocates memory in foreign processes 53->144 68 msedge.exe 55->68         started        signatures16 process17 signatures18 172 Uses schtasks.exe or at.exe to add and modify task schedules 57->172 72 net.exe 57->72         started        74 conhost.exe 57->74         started        174 Loading BitLocker PowerShell Module 60->174 76 conhost.exe 60->76         started        78 WmiPrvSE.exe 60->78         started        80 conhost.exe 62->80         started        82 conhost.exe 64->82         started        84 schtasks.exe 64->84         started        86 2 other processes 66->86 88 3 other processes 70->88 process19 process20 90 net1.exe 72->90         started       
Score:
92%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 32 Exe x86
Link:
https://app.malva.re/file/fb10901af737f27bd609657a20a974ba
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Threat name:
Win32.Trojan.Kelios
Create hunting rule
Status:
Malicious
First seen:
2025-08-01 19:52:48 UTC
File Type:
PE (Exe)
AV detection:
25 of 37 (67.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wqrfnztvjs3ehia7oigl6skg7sthf6p23tyjzf2us7fc3de5emsq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250801-ylkgdsfn2z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c86c5d8c-f9c1-4b81-981b-df04593370c8
Unpacked files
SH256 hash:
b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
MD5 hash:
fb10901af737f27bd609657a20a974ba
SHA1 hash:
2ab5c40198e37fdf6ac36a15151de8ac89ffdd53
Link:
https://www.unpac.me/results/87534bf2-2ac4-4357-9419-b6c3dfab9d40/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b42256e6754c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/18371/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW

Comments