MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a
SHA3-384 hash: 640b774d4e6186e06dc933c455f8f3f967c8bd01c00dd7212717e9a3f29384b9fd07e425c75796a90f53e7f53eb24e99
SHA1 hash: 52e5504b533c723399edfa888b687de181c20db6
MD5 hash: cf34ab8e64f88622e58cfab4d5d2a643
humanhash: missouri-jersey-autumn-carolina
File name:𝑺𝑬𝑻𝑼𝑷.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'847'248 bytes
First seen:2025-09-20 22:14:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9cbefe68f395e67356e2a5d8d1b285c0 (58 x LummaStealer, 49 x AuroraStealer, 35 x Vidar)
ssdeep 24576:eJ1iKcGeiNIH8dBJerOvSwJHdkYmVK8xlBe71TghpgZB+Yrytr:EiKcGrEiJWOqQHdj38te71sgZB+
Threatray 583 similar samples on MalwareBazaar
TLSH T10AD57DA6645038AAC9E4CE314971CDD077F06C28C7E993EF3670F6EB1A65DB60B27250
gimphash b5cf3d35535d9133eb6bf20c9e979b929203b9f9f501f80fa62c15fc3912a23b
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter aachum
Tags:77-105-161-114 exe Rhadamanthys


Avatar
iamaachum
https://mdera.rest/direct77-cp/?D2KZjIF?utm=1VSwjB => https://mega.nz/file/0B9ixICL#cIz2fqInoWjkpIE7ZOf1dOU1Tsh5x0l0C9gIIut99zw

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c31b1f4a-bb9c-41b7-b9cd-7995c7824273
Verdict:
Malicious activity
Analysis date:
2025-09-20 23:05:23 UTC
Tags:
golang anti-evasion stealer rhadamanthys
Link:
https://app.any.run/tasks/c31b1f4a-bb9c-41b7-b9cd-7995c7824273

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28476/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cf27c1edb901a5f65480e5
Tags:
injection emotet obfusc virus
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm golang invalid-signature redcap signed
Link:
https://www.filescan.io/uploads/68cf274373af424b47e8c555/reports/43953f41-ea4a-4f30-814b-ffe7c81bb8d3/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_90%
Link:
https://www.hybrid-analysis.com/sample/bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-09-20T06:28:00Z UTC
Last seen:
2025-09-20T06:28:00Z UTC
Hits:
~100
Link:
https://opentip.kaspersky.com/bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/54c18803-9e30-448d-80c9-f46c2d928633
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1781304
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Found potential dummy code loops (likely to delay analysis)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Windows timers to delay execution
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
90%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/cf34ab8e64f88622e58cfab4d5d2a643
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a/
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-20 17:09:00 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
21 of 38 (55.26%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xm5ta7mf4dsmen6c4lo5iirppkj465u4sbsmbdf2bfanitlcinva._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
419a94efe1f66bbc2244de83a034883751ae838f4ab7485c5475b6cf7e2e72a2
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
a8b9acc89b79999ac9ff94155b6d040b56134d446f6ca934dc000ae8c09c9e9c
Rhadamanthys
c2d5e6e925c2450d4d5d8cba94c7570049a4da43647165fe9db23e009c977f91
Rhadamanthys
e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Rhadamanthys
error
Rhadamanthys
+ 573 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250920-16kzrs1jw6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/04a7d763-4772-492e-a02c-2d69a541b921
Unpacked files
SH256 hash:
bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a
MD5 hash:
cf34ab8e64f88622e58cfab4d5d2a643
SHA1 hash:
52e5504b533c723399edfa888b687de181c20db6
Link:
https://www.unpac.me/results/cbb7ebe9-db36-4189-88bb-87263417ccfb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe bb3b307d85e0e4c237c2e2ddd4222f7a93cf769c9064c08cba0940d44d62436a

(this sample)

  
Link
https://tria.ge/250920-1pz3csywcy/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/28476/

Comments