MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
SHA3-384 hash: 48043b8aa3decb248c2c31cb61a9b831817b7df2614a1bc32ebd7c8ed0f1856d974f3d2317b3707885a68bb8c46f3f07
SHA1 hash: 4480aaf651f6179e6f6c727db443b5686b252d3b
MD5 hash: 0e43411f28fb4761668084f25ef57a98
humanhash: delaware-cold-nebraska-fanta
File name:InstaIIer.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:7'269'376 bytes
First seen:2025-03-23 08:57:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 995b568af40925aa5a14ee16ffa54dec (2 x Rhadamanthys)
ssdeep 49152:ZPaCk818BaFoV3egxUjnWdls85XXpDYALLRENU9Qd+buk0lHxjC/dJdcAuqeVI5O:0BaFbzUzXWU9w6ZkHEj0O7muuA+vU
TLSH T105766BC367F90736E7AE0E79ACBC51100A76BD06FE2DE64E1945B0AB4977340B913362
TrID 40.3% (.EXE) Win64 Executable (generic) (10522/11/4)
19.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
17.2% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) OS/2 Executable (generic) (2029/13)
7.6% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon 4cb26964b0cc45ba (2 x Rhadamanthys, 1 x RaccoonStealer, 1 x LummaStealer)
Reporter abuse_ch
Tags:de-pumped exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
450
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
InstaIIer.exe
Verdict:
Malicious activity
Analysis date:
2025-03-23 08:58:33 UTC
Tags:
rhadamanthys stealer websocket
Link:
https://app.any.run/tasks/687e0d66-6568-4186-926d-74d9e3d6a1ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e1951bacb044ea849e72f3
Tags:
phishing cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending a custom TCP request
Sending an HTTP GET request
Unauthorized injection to a system process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-vm control dotnet evasive expired-cert fingerprint lolbin lolbin microsoft_visual_cc msiexec packed packed packer_detected reconnaissance regasm regasm remote sc schtasks
Link:
https://www.filescan.io/uploads/67dfcd20e05c48ec61e65eba/reports/82b33448-9a84-434b-9b19-9a344fe61afd/overview
Verdict:
Malicious
Labled as:
Trojan.GenHeur
Link:
https://www.hybrid-analysis.com/sample/c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4976708e-1793-4a44-9752-b0b174b0bd94
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1646070
Signature
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
C2 URLs / IPs found in malware configuration
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
29%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yl3jaeudqbzpmdukbmd2bljutdactzmcippk6k6sd5cq4rwj626q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250323-kw7ssavybx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtCreateUserProcessOtherParentProcess
Gathering data
Unpacked files
SH256 hash:
c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
MD5 hash:
0e43411f28fb4761668084f25ef57a98
SHA1 hash:
4480aaf651f6179e6f6c727db443b5686b252d3b
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
5f8bd349dbe5d0debe87ea19bd30a7f8c508058cc747c333b19e318b3f107a87
MD5 hash:
3c11528a63ceb45f8f779b2dfa4a3302
SHA1 hash:
f77e41a0d91e1479d2e20a69f8dabbe768b9b371
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
c0eb7d73e377e69d7aa0def6a2e3a4c6fd5c05b9f16c4d6bccbac7a9b666e9b1
MD5 hash:
26534463db37a590146d27e93bf1ef0d
SHA1 hash:
0cd5bec3704b2fab89b21a38de64a92783a81ea6
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
ec1f7c34c317d259f080a266edb40c490143ed5562da64dd544b94eea9e34a35
MD5 hash:
f64511b6e421b0fec09839ac2e6dce9a
SHA1 hash:
e6606fa0fd86eb5c89b867b45d9062edccdc4378
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
5572799816266f11c7d64e631c3fc1a857d9c573b0a8f3ea3d89289276bc81c6
MD5 hash:
119496cf2c0aa9f2540fec1ef36bf40a
SHA1 hash:
f6117773476d64280d57f7893401f729972eeab5
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
670117ae00721353bfc0e12a817e3a48e28629d8dad74d06c7d26a8eec81d2cc
MD5 hash:
cd1bb0470569404c64123599bc2b6e6d
SHA1 hash:
8f79ccc0fff107e9c082a4336014721481c29518
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
aac9a633eea7b0be6e1ccbf07f34c6dcd13de53b26e7b8c3ed9a8ec6964122f4
MD5 hash:
344758b5da7d5abf05c75531811d4bfe
SHA1 hash:
b2a05d09fa9a153776b049227d9634b457ad8531
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
9eef6dbbe50bf1762f2d9702c5995b6777e39ff07146186c32697d85f3b9cc05
MD5 hash:
0a11a456888acb5f5bae7c4c894ee813
SHA1 hash:
bedfc834ac0ba514bb92f61100fae3a02c9c5e2f
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
30b1e00d898ce47eed2a726692fe72713ec9541fead6b03c36ddfdb354183fc5
MD5 hash:
b7ce4520c6ede9e9113f70d1eeb5240a
SHA1 hash:
7e5e0e4f28207c4aa8dab9877b94d304a0854965
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
e0f0690819e3edc72c63d2307dd5ae4dc5581f1e2e719ed6219edb7ff4f5c70e
MD5 hash:
50f6c7b1bf71c67c6013b6e87014d5f4
SHA1 hash:
157fe445e24889eb05ad78c0daa0cfcdeac83676
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
324433bdcbe364dcd5db1601bb51e802e15f421764225c8b7541ef2c5b36115b
MD5 hash:
b2a484f576060fce5321360ba8acdcea
SHA1 hash:
990f8ec627bf06d1300e2135454137b7bd0a5de6
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
3107d65a413b04ec3387585077d4cfbadceb62fbe39e3711d2cc54be06008ced
MD5 hash:
761b3659deea83bfdbe4cd12639f4286
SHA1 hash:
296c7f645723b2c5f90fbd053f3c0916d298a6e8
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
0e26b59bf278cdd6a9c337aff65dcdc4f4c66bb4ef4847420fcd61c8f440f460
MD5 hash:
7b4c125251c1ce0909071416587dd966
SHA1 hash:
09a0236208f23715e73de370a691d2930bf90354
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
3805ef035d0ee7f7f7f0fa8dd71dd0d4502f45538d1138fe40b144ee092bf14b
MD5 hash:
a586d8bcd40fba326384a33dcaa294ec
SHA1 hash:
645ce833ebd3971ee0f3874e2ab1e4c682531c58
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
11a6eefc3af43054e14483174adf8b4ced5ffdf4e677e44dcf67da50d6d0901b
MD5 hash:
5665aac435c64a4357651acae244f5a9
SHA1 hash:
211d1fbba370c0aad06693a39f31de61038d3800
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
9d805c5e9791e16bd6e5f2ceb6a12dd4eb23fe30372163e0d099f50aee3de34b
MD5 hash:
621a011243ad64d0984a84ad4e1c0f29
SHA1 hash:
3d61e2f96c767567f1c029455398521cc7cb6d4a
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
76124261c9d522c5c46c83e6ed4f7c069f923e3f86e0a960602da018588befc9
MD5 hash:
0a899901137a31c5461101b02b4eb722
SHA1 hash:
0ae53a6a88ab119f2bf12c9ff7876fed49910df4
Detections:
SUSP_NET_Large_Static_Array_In_Small_File_Jan24
Create hunting rule
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
Parent samples :
c47b4646e0a175ef2c06f53ad21a9f673f2781cb23502e9acc53ec813c4f4489
c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
SH256 hash:
56fb0736fc402628c00ba852404fd7be2cdbd76edfb8fc1e3f7314b724cd398d
MD5 hash:
4ec064674de9527947446301e1b2c842
SHA1 hash:
b2e25e4f1489023015dcb3b44d54fec778b97fa7
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
c2030e3b0850f9f19a20a08d0347c8a37230bd26f49ad54a2a74c4d02b8a2088
MD5 hash:
6416ff71ec1388d8595b28ee4fc9f413
SHA1 hash:
cf495bfac2f8c932e87ca98d1e51249097c2d426
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
9c478c247dbd76d045c2f4a3d623c3213d6e1fe7e7da4d275aace558ca5694cf
MD5 hash:
cadd0593719c142b3f005663a8191512
SHA1 hash:
49677dff2204c8f77178917aa220582d9a003b45
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
f75a7579a01d31d4b4af0ee27d080547f4a629845dc1745fab0cfaf52a3826b0
MD5 hash:
4949748880493a147211d1bc071a04fa
SHA1 hash:
1d3402e84614c6475f30aa2098c903fc979a6ffd
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
29724defbaca5b1f2b3423a90ed70b363a016b9c9118d7817b715a80cfaa3801
MD5 hash:
62dcead485859dcbc3c54a585dcc865f
SHA1 hash:
b451d72da2752ca429dd2cf7c4ee4b9aabe3078a
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
SH256 hash:
b38b05d0e94b7f9083d77a5c19816ef46284aeaeb3f7c52286b010f8e19e42fa
MD5 hash:
0978971940d4d5a4b2f1aedb14f7976b
SHA1 hash:
490a36216d65f06388544a093c24536a3f176b1a
Link:
https://www.unpac.me/results/b8b89de0-ef66-45b5-8cbc-848915fc6eae/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c2f690128380/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:detect_powershell
Create hunting rule
Author:daniyyell
Description:Detects suspicious PowerShell activity related to malware execution
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:Disable_Defender
Create hunting rule
Author:iam-py-test
Description:Detect files disabling or modifying Windows Defender, Windows Firewall, or Microsoft Smartscreen
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETDLLMicrosoft
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

7z d570481d458de600029cd63b5c7459611fc310bde0953b546eaed2fe6e2fa3ff

Rhadamanthys

Executable exe c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd

(this sample)

  
Dropped by
MD5 f356df51371a2db627ea535a156dd0c8
  
Dropped by
SHA256 d570481d458de600029cd63b5c7459611fc310bde0953b546eaed2fe6e2fa3ff

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::SetSecurityDescriptorDacl
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
ADVAPI32.dll::OpenProcessToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetSystemInfo
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateHardLinkW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_SVC_APICan Manipulate Windows ServicesADVAPI32.dll::RegisterServiceCtrlHandlerW
ADVAPI32.dll::StartServiceCtrlDispatcherW

Comments