MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5
SHA3-384 hash: 9077839e1824c959c70cabd91662887d9dbc72e89d96a46cdea328177afbb5443245ce7fe018ff9dee7e53e8d0616122
SHA1 hash: e5b4f308cdb4982d6da8a52b0fa1dfb9024d3e3d
MD5 hash: f466536c5e1b7a07a2359cd40b7d8843
humanhash: social-floor-cold-bakerloo
File name:Aeternus.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'969'040 bytes
First seen:2025-08-19 08:34:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 91802a615b3a5c4bcc05bc5f66a5b219 (18 x Glupteba, 6 x Rhadamanthys, 3 x CobaltStrike)
ssdeep 24576:2eBN/2UYSJBPSXh7m4LZSfitqgxMIxPnm+mjXPB6F:2eBp2UXJcXBm4LYJgxMIhm3NU
TLSH T19F955B03BCD634BDE5FDE132AAA56730763378BA43336783168721AD4965BE47A2D304
gimphash 2b0d28bf13c4f62bdca1707d5fb13e8fa4d1f20f0e705862b1a2df5941a2b933
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon e0f0f0f0b2b2b0f0 (5 x Rhadamanthys, 1 x LummaStealer)
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Aeternus.exe
Verdict:
Malicious activity
Analysis date:
2025-08-19 08:34:09 UTC
Tags:
golang rhadamanthys shellcode
Link:
https://app.any.run/tasks/7f44bada-0244-4c3a-b402-4579deb78484

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22134/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a43721c2f5296a1a2845bc
Tags:
injection obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm expired-cert golang invalid-signature self-signed-cert short-lived-cert signed threat
Link:
https://www.filescan.io/uploads/68a43727419c816a6e8bb0cd/reports/ec33244b-5701-4c13-bfb4-8c224090613e/overview
Verdict:
Malicious
Labled as:
WinGo/Injector.FU trojan
Link:
https://www.hybrid-analysis.com/sample/be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/36e23f37-ca5a-4892-bc71-7a43574c334f
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1759994
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies power options to not sleep / hibernate
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1759994 Sample: Aeternus.exe Startdate: 19/08/2025 Architecture: WINDOWS Score: 100 93 x.ns.gin.ntt.net 2->93 95 twc.trafficmanager.net 2->95 97 5 other IPs or domains 2->97 113 Found malware configuration 2->113 115 Antivirus detection for dropped file 2->115 117 Multi AV Scanner detection for submitted file 2->117 119 8 other signatures 2->119 11 Aeternus.exe 2->11         started        14 cmd.exe 2->14         started        16 svchost.exe 3 4 2->16         started        18 4 other processes 2->18 signatures3 process4 signatures5 151 Writes to foreign memory regions 11->151 153 Injects a PE file into a foreign processes 11->153 20 dllhost.exe 5 11->20         started        25 OpenWith.exe 11->25         started        27 CredentialUIBroker.exe 11->27         started        29 conhost.exe 14->29         started        31 schtasks.exe 14->31         started        33 WerFault.exe 2 16->33         started        process6 dnsIp7 99 ntp.time.nl 94.198.159.10, 123, 60687 SIDNNL Netherlands 20->99 101 x.ns.gin.ntt.net 129.250.35.250, 123, 60687 NTT-COMMUNICATIONS-2914US United States 20->101 105 6 other IPs or domains 20->105 89 C:\Users\user\AppData\Local\...\lL5t0)1.exe, PE32+ 20->89 dropped 91 C:\Users\user\AppData\Local\...\2Nrm6FH.exe, PE32 20->91 dropped 139 Early bird code injection technique detected 20->139 141 Found many strings related to Crypto-Wallets (likely being stolen) 20->141 143 Tries to harvest and steal browser information (history, passwords, etc) 20->143 149 2 other signatures 20->149 35 lL5t0)1.exe 9 2 20->35         started        39 2Nrm6FH.exe 20->39         started        41 setup_wm.exe 20->41         started        45 2 other processes 20->45 103 94.154.35.99, 1888, 49722, 49735 SELECTELRU Ukraine 25->103 145 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->145 147 Switches to a custom stack to bypass stack traces 25->147 43 WerFault.exe 2 27->43         started        file8 signatures9 process10 file11 85 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 35->85 dropped 121 Antivirus detection for dropped file 35->121 123 Query firmware table information (likely to detect VMs) 35->123 125 Modifies windows update settings 35->125 137 3 other signatures 35->137 47 cmd.exe 1 35->47         started        50 cmd.exe 35->50         started        52 powershell.exe 23 35->52         started        63 15 other processes 35->63 87 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 39->87 dropped 127 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->127 129 Queries memory information (via WMI often done to detect virtual machines) 39->129 54 cmd.exe 39->54         started        56 cmd.exe 39->56         started        131 Writes to foreign memory regions 41->131 133 Allocates memory in foreign processes 41->133 135 Found many strings related to Crypto-Wallets (likely being stolen) 45->135 58 chrome.exe 45->58         started        61 chrome.exe 45->61         started        signatures12 process13 dnsIp14 155 Uses schtasks.exe or at.exe to add and modify task schedules 47->155 157 Uses powercfg.exe to modify the power settings 47->157 159 Modifies power options to not sleep / hibernate 47->159 65 net.exe 1 47->65         started        67 conhost.exe 47->67         started        77 3 other processes 50->77 161 Loading BitLocker PowerShell Module 52->161 69 conhost.exe 52->69         started        71 WmiPrvSE.exe 52->71         started        73 conhost.exe 54->73         started        75 schtasks.exe 54->75         started        79 2 other processes 56->79 107 googlehosted.l.googleusercontent.com 142.250.65.193, 443, 49732, 49733 GOOGLEUS United States 58->107 109 127.0.0.1 unknown unknown 58->109 111 2 other IPs or domains 58->111 81 17 other processes 63->81 signatures15 process16 process17 83 net1.exe 1 65->83         started       
Score:
84%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/f466536c5e1b7a07a2359cd40b7d8843
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 08:34:10 UTC
File Type:
PE+ (Exe)
Extracted files:
10
AV detection:
14 of 24 (58.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=x2j3hltbgr75mp26hi3zovuroxxcio45io3hnrxrfscbahnldp2q._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250819-kgrg9a11es/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b8e51693-738a-419c-9fc5-974dd48c3700
Unpacked files
SH256 hash:
be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5
MD5 hash:
f466536c5e1b7a07a2359cd40b7d8843
SHA1 hash:
e5b4f308cdb4982d6da8a52b0fa1dfb9024d3e3d
Link:
https://www.unpac.me/results/708fff59-08e8-4407-9966-50413df4d194/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/be93b3ae6134/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/be93b3ae61347fd63f5e3a3797569175ee243b9d43b676c6f12c84101dab1bf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22134/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryA
kernel32.dll::LoadLibraryW
kernel32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programskernel32.dll::WriteConsoleW
kernel32.dll::SetConsoleCtrlHandler
kernel32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create Fileskernel32.dll::GetSystemDirectoryA

Comments