MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
SHA3-384 hash: 47f4a09824e84d3d2bd14a083474017ec31d29e1537e0ec9757d853c67d0965a229e4e2446487ceb6fb951a1f9897cb8
SHA1 hash: 32b300bac5bad77c6bf40cfba5307eecb1d3377f
MD5 hash: 7c7c094d529fdc9da0da6425700fbc69
humanhash: cup-mars-berlin-robert
File name:Cydqpke.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:17'899'000 bytes
First seen:2025-08-16 21:07:35 UTC
Last seen:2025-08-17 01:17:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash accae6d9af57db77b197e808f80d0e1d (2 x Rhadamanthys)
ssdeep 393216:CyBCZuKfBe8YNchVMY6R6rKEWkYO5NrzJVys5pCs:CyBVKfBqWl/rKE55NrzLrCs
Threatray 1 similar samples on MalwareBazaar
TLSH T14A0723D36DDEA2D0D89B4F2451C763CE20E2B7D985AD965E3AC98C031970F6A884D373
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon c6c2ccc4f4e0e0f8 (37 x PythonStealer, 21 x CrealStealer, 19 x Empyrean)
Reporter abuse_ch
Tags:exe Rhadamanthys signed

Code Signing Certificate

Organisation:TrumpBest DigiCert Trusted RSA4096 SHA256
Issuer:TrumpBest DigiCert Trusted RSA4096 SHA256
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-16T14:09:57Z
Valid to:2026-08-16T14:29:57Z
Serial number: 16aaa81aa66f95bf402434dbaa32ce86
Thumbprint Algorithm:SHA256
Thumbprint: 94708408eb2f249ce3f09bd718f980f7f48c2f07afa4dc777ee8ec7ff7d00d4f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
61
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
79a740c808c01ca343874efbe3d42bf614bc32b3b8812859e46a1a418db77daa.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-08-16 15:20:06 UTC
Tags:
lumma stealer themida loader auto redline amadey botnet rdp auto-reg telegram gcleaner
Link:
https://app.any.run/tasks/d35d74d7-6328-4f52-a4fc-78da003ea931

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21714/
Verdict:
Clean
Score:
84.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a0f35ac2f5296a1a27a1e8
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Using the Windows Management Instrumentation requests
Detecting VM
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
obfuscated packed packed pyinstaller pyinstaller signed vmprotect
Link:
https://www.filescan.io/uploads/68a0f39dba1f5bb1e60c8fb6/reports/8eac37f9-6f5b-4ec4-9eb5-050cc9863c02/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1758568
Signature
AI detected suspicious PE digital signature
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect debuggers (CloseHandle check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Uses Windows timers to delay execution
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
96%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/7c7c094d529fdc9da0da6425700fbc69
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda/
Verdict:
Malicious
Threat:
Trojan-PSW.Win32.Rhadamanthys
Link:
https://tip.neiki.dev/file/bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
Threat name:
Win64.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-16 15:36:37 UTC
File Type:
PE+ (Exe)
Extracted files:
14
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xwxsmwxkl7htum2mhffrujudgy5euwfs6iracxyw4b3k5ulc7xna._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
Rhadamanthys
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250816-zzsklagp3y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of NtSetInformationThreadHideFromDebugger
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b4147e86-0951-4ac9-be91-cbdbba2613ab
Unpacked files
SH256 hash:
bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda
MD5 hash:
7c7c094d529fdc9da0da6425700fbc69
SHA1 hash:
32b300bac5bad77c6bf40cfba5307eecb1d3377f
Link:
https://www.unpac.me/results/8b79de5b-680d-4e44-86c3-f6bdd9bfdea0/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/bdaf265aea5f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe bdaf265aea5fcf3a334c394b1a2683363a4a58b2f222015f16e076aed162fdda

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3604846/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21714/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments