MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 17


Intelligence 17 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
SHA3-384 hash: 515ee95c727947937fe880ae49ba3aed1b505000c82053f04a74fccd217202cce13bb769b704ee0cb3102f0665337146
SHA1 hash: 85165657c4c69c881e64d89a00fcf2671466d0d6
MD5 hash: 36a24fe03ee733c7c38b1f974b9c9e26
humanhash: victor-pasta-double-king
File name:c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'943'592 bytes
First seen:2025-08-30 13:50:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 29bebcd96150ff9fcda8a64da0c33b3f (1 x LummaStealer, 1 x Rhadamanthys)
ssdeep 49152:KDWzEDdtjw5yICp2GUjz5ocqKJ0p5TvhhpmS:KDoPyIx1jztqMSF5nz
Threatray 3 similar samples on MalwareBazaar
TLSH T16495E183F6C34093FBE354B06B39C5A5D8295AA3BB141CDB80188684C5F9EDF967352B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0.exe
Verdict:
Malicious activity
Analysis date:
2025-08-28 10:48:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7a8661d4-f12e-4505-8b51-add324dc312f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24235/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b301de3e988eb6ab82fd8d
Tags:
injection cobalt obfusc virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint invalid-signature microsoft_visual_cc obfuscated packed packed packer_detected signed threat
Link:
https://www.filescan.io/uploads/68b3021939a6221faa765ffd/reports/595d8e70-e641-48fa-b5a3-b8866224556c/overview
Verdict:
Malicious
Labled as:
Fragtor.Generic
Link:
https://www.hybrid-analysis.com/sample/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-27T22:01:00Z UTC
Last seen:
2025-08-27T22:01:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb Trojan.Win64.SBEscape.uw Trojan-PSW.Win32.Rhadamanthys.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1cded3fd-598c-41f2-afaa-b77cdaf8841c
Result
Threat name:
Coinhive, RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1768124
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Downloads suspicious files via Chrome
Early bird code injection technique detected
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Coinhive miner
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1768124 Sample: hCCgrBy1St.exe Startdate: 30/08/2025 Architecture: WINDOWS Score: 100 104 twc.trafficmanager.net 2->104 106 time.windows.com 2->106 108 9 other IPs or domains 2->108 134 Found malware configuration 2->134 136 Antivirus detection for dropped file 2->136 138 Antivirus / Scanner detection for submitted sample 2->138 140 13 other signatures 2->140 12 hCCgrBy1St.exe 2->12         started        15 msedge.exe 440 2->15         started        19 svchost.exe 2->19         started        21 11 other processes 2->21 signatures3 process4 dnsIp5 170 Found many strings related to Crypto-Wallets (likely being stolen) 12->170 172 Found stalling execution ending in API Sleep call 12->172 174 Switches to a custom stack to bypass stack traces 12->174 23 OpenWith.exe 12->23         started        126 239.255.255.250 unknown Reserved 15->126 92 C:\Users\user\AppData\...\adblock_snippet.js, ASCII 15->92 dropped 94 C:\Users\user\AppData\Local\Temp\...\Part-FR, data 15->94 dropped 27 msedge.exe 15->27         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        176 Changes security center settings (notifications, updates, antivirus, firewall) 19->176 35 conhost.exe 21->35         started        file6 signatures7 process8 dnsIp9 116 age-of-wonders-06-2019.com 2.58.56.54, 1888, 49688, 49737 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 23->116 118 cloudflare-dns.com 104.16.249.249, 443, 49687 CLOUDFLARENETUS United States 23->118 154 Switches to a custom stack to bypass stack traces 23->154 37 dllhost.exe 8 23->37         started        120 192.168.2.9, 1888, 443, 49672 unknown unknown 27->120 122 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49713, 49723 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->122 124 10 other IPs or domains 27->124 signatures10 process11 dnsIp12 110 age-of-wonders-06-2019.com 37->110 112 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 37->112 114 9 other IPs or domains 37->114 96 C:\Users\user\AppData\Local\...\wh}b8C.exe, PE32 37->96 dropped 98 C:\Users\user\AppData\Local\...\B5vjIR.exe, PE32+ 37->98 dropped 146 System process connects to network (likely due to code injection or exploit) 37->146 148 Early bird code injection technique detected 37->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 37->150 152 3 other signatures 37->152 42 B5vjIR.exe 37->42         started        46 wh}b8C.exe 37->46         started        48 wmpnscfg.exe 37->48         started        50 3 other processes 37->50 file13 signatures14 process15 file16 100 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 42->100 dropped 156 Antivirus detection for dropped file 42->156 158 Multi AV Scanner detection for dropped file 42->158 160 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 42->160 168 5 other signatures 42->168 52 cmd.exe 42->52         started        55 powershell.exe 42->55         started        57 sc.exe 42->57         started        70 5 other processes 42->70 102 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 46->102 dropped 162 Queries memory information (via WMI often done to detect virtual machines) 46->162 59 cmd.exe 46->59         started        61 cmd.exe 46->61         started        164 Writes to foreign memory regions 48->164 166 Allocates memory in foreign processes 48->166 63 chrome.exe 50->63         started        66 chrome.exe 50->66         started        68 msedge.exe 50->68         started        signatures17 process18 dnsIp19 142 Uses schtasks.exe or at.exe to add and modify task schedules 52->142 72 net.exe 52->72         started        74 conhost.exe 52->74         started        144 Loading BitLocker PowerShell Module 55->144 76 conhost.exe 55->76         started        78 WmiPrvSE.exe 55->78         started        80 conhost.exe 57->80         started        82 conhost.exe 59->82         started        84 schtasks.exe 59->84         started        86 2 other processes 61->86 128 googlehosted.l.googleusercontent.com 142.250.80.65, 443, 49705, 49706 GOOGLEUS United States 63->128 130 127.0.0.1 unknown unknown 63->130 132 clients2.googleusercontent.com 63->132 88 5 other processes 70->88 signatures20 process21 process22 90 net1.exe 72->90         started       
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/36a24fe03ee733c7c38b1f974b9c9e26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-08-28 03:37:50 UTC
File Type:
PE (Exe)
AV detection:
22 of 24 (91.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=y62wwudplexlybu7mrpvtmxzdx7hjbig5hjrafqczsitutu5osya._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
e8b35a75b233e4de9d7240e8426a7204a95c7b7580375a63a1120e06e50e6eca
Rhadamanthys
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250830-q6hjjaztdx/
Behaviour
System Location Discovery: System Language Discovery
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/e05a89d2-bfc8-473c-9374-7b06efc51121
Unpacked files
SH256 hash:
c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0
MD5 hash:
36a24fe03ee733c7c38b1f974b9c9e26
SHA1 hash:
85165657c4c69c881e64d89a00fcf2671466d0d6
Link:
https://www.unpac.me/results/06a48a2b-87de-4682-97ce-4b071c643921/
Malware family:
ConfusedOOBE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c7b56b506f59/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
DriveBy Activity
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c7b56b506f592ebc069f645f59b2f91dfe748506e9d3101602cc913a4e9d74b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/24235/

Comments