MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
SHA3-384 hash: 00c387099938b8002896da1e9b74bf0e0f22e328f19f14e619a9e1c42bef8c69646811a9a3cea6eb08f03a7c0da8100d
SHA1 hash: 9e5bb000787c8ff082748de02dfe3ba59f9bbb12
MD5 hash: 8444a33d0ede27e48a20ce65d8ac6e2b
humanhash: delaware-batman-hot-nuts
File name:Bootstrapper.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'562'866 bytes
First seen:2025-09-11 14:56:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b729b61eb1515fcf7b3e511e4e66258b (70 x LummaStealer, 16 x Rhadamanthys, 8 x Adware.Generic)
ssdeep 24576:QVDgYboCi4BMfehDDVnidHiPm12DbTb8oEJUFI1ycuyWA99zuwIvNOYRMF:QNoCiGMWyMPS8b8oxcd5zuwIvNOPF
Threatray 584 similar samples on MalwareBazaar
TLSH T175753313F445502BF6FA4FF38E821AB1CD5FC9119B726E767B2025952EF3642228C936
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bootstrapper.exe
Verdict:
Malicious activity
Analysis date:
2025-09-11 09:52:15 UTC
Tags:
autoit lumma stealer anti-evasion
Link:
https://app.any.run/tasks/46e6607f-b10b-4b0f-84a5-5fdd9abfa4d9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26946/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c29bce6e66ba602d7a5657
Tags:
autoit emotet cobalt spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Sending a custom TCP request
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68c2e338dbc6f5a29c403832/reports/2e91ce00-4c21-4283-a2b8-04958e0124e7/overview
Verdict:
Malicious
Labled as:
Malware.Rhadamanthys
Link:
https://www.hybrid-analysis.com/sample/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-11T06:28:00Z UTC
Last seen:
2025-09-11T06:28:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.AUO.gen HEUR:Backdoor.Win32.Agent.gen Backdoor.Agent.UDP.C&C HEUR:Trojan.Script.Generic
Link:
https://opentip.kaspersky.com/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e9368d1-d28c-44ef-a222-b73ebe54f2f5
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1775735
Signature
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1775735 Sample: Bootstrapper.exe Startdate: 11/09/2025 Architecture: WINDOWS Score: 100 87 ts1.aco.net 2->87 89 time.google.com 2->89 91 9 other IPs or domains 2->91 115 Multi AV Scanner detection for submitted file 2->115 117 Yara detected RHADAMANTHYS Stealer 2->117 119 Sigma detected: Search for Antivirus process 2->119 121 Joe Sandbox ML detected suspicious sample 2->121 12 Bootstrapper.exe 25 2->12         started        15 msedge.exe 2->15         started        18 elevation_service.exe 2->18         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->73 dropped 22 cmd.exe 1 12->22         started        101 192.168.2.10 unknown unknown 15->101 103 192.168.2.9, 123, 138, 443 unknown unknown 15->103 105 239.255.255.250 unknown Reserved 15->105 25 msedge.exe 15->25         started        28 msedge.exe 15->28         started        30 msedge.exe 15->30         started        32 msedge.exe 15->32         started        file6 process7 dnsIp8 123 Detected CypherIt Packer 22->123 125 Drops PE files with a suspicious file extension 22->125 34 cmd.exe 4 22->34         started        37 conhost.exe 22->37         started        95 s-part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49711 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->95 97 s-part-0041.t-0009.fb-t-msedge.net 13.107.253.69, 443, 49721, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->97 99 11 other IPs or domains 25->99 signatures9 process10 file11 71 C:\Users\user\AppData\Local\Temp\...\Demo.pif, PE32 34->71 dropped 39 Demo.pif 34->39         started        43 extrac32.exe 17 34->43         started        45 tasklist.exe 1 34->45         started        47 2 other processes 34->47 process12 dnsIp13 93 5.101.84.98, 49691, 49731, 49732 PINDC-ASRU Russian Federation 39->93 129 Found many strings related to Crypto-Wallets (likely being stolen) 39->129 131 Switches to a custom stack to bypass stack traces 39->131 133 Found direct / indirect Syscall (likely to bypass EDR) 39->133 49 dllhost.exe 6 39->49         started        53 WerFault.exe 2 39->53         started        signatures14 process15 dnsIp16 81 ntp1.net.berkeley.edu 169.229.128.134, 123, 55905 UCBUS United States 49->81 83 ntp.time.nl 94.198.159.10, 123, 55905 SIDNNL Netherlands 49->83 85 6 other IPs or domains 49->85 107 Early bird code injection technique detected 49->107 109 Found many strings related to Crypto-Wallets (likely being stolen) 49->109 111 Tries to harvest and steal browser information (history, passwords, etc) 49->111 113 2 other signatures 49->113 55 chrome.exe 1 49->55         started        58 msedge.exe 49->58         started        60 chrome.exe 49->60         started        62 wmprph.exe 49->62         started        signatures17 process18 signatures19 127 Found many strings related to Crypto-Wallets (likely being stolen) 55->127 64 chrome.exe 55->64         started        67 chrome.exe 55->67         started        69 msedge.exe 58->69         started        process20 dnsIp21 75 142.250.72.161, 443, 49704 GOOGLEUS United States 64->75 77 127.0.0.1 unknown unknown 64->77 79 2 other IPs or domains 64->79
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/8444a33d0ede27e48a20ce65d8ac6e2b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-09-11 09:52:16 UTC
File Type:
PE (Exe)
Extracted files:
21
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb5aqm2dsonieyf3hfnplcyj3vuz7csfewvi6z4geegdwhdjczjq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
34adda0535a9e54bbc979c755bf7a4cd69aa5a1cf82f8a4ed60b8be068fb0977
Rhadamanthys
3c2d3dd2705831ed8bd4fc730ee21877b8a28b54455c0332e3eeba157707bcb7
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Rhadamanthys
error
Rhadamanthys
+ 574 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250911-sbe62a1kv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ed9f6b8f-518f-4310-b491-592eb869242e
Unpacked files
SH256 hash:
b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
MD5 hash:
8444a33d0ede27e48a20ce65d8ac6e2b
SHA1 hash:
9e5bb000787c8ff082748de02dfe3ba59f9bbb12
Link:
https://www.unpac.me/results/5c44d3c8-e2fb-4829-afa8-07df59930e6d/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/5c44d3c8-e2fb-4829-afa8-07df59930e6d/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/5c44d3c8-e2fb-4829-afa8-07df59930e6d/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/b87a08334393/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26946/

Comments