MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
SHA3-384 hash: 05acc8acf0ee9b6078c08dac028e8b72a82e5e45c74302e3e9c9b722ec339735746d8abd251c15edc91d3947f88145fd
SHA1 hash: ce38d824aa77cd619c7de7d2bba04bedf7eb4648
MD5 hash: 45f67d65520fc67f25d4049bbe599f00
humanhash: speaker-queen-eleven-fourteen
File name:45f67d65520fc67f25d4049bbe599f00.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'107'680 bytes
First seen:2025-10-10 08:37:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f6baa5eaa8231d4fe8e922a2e6d240ea (37 x CoinMiner, 22 x DCRat, 15 x LummaStealer)
ssdeep 49152:Ep5Vy2D/CslrttpLxAnkOfxHangzTuBZ+xY2gifRN7sKBp/TdibkjEMoJGqof876:Ep5VyBs/jNAnkOfxHKgGT+q2DRlsUBTv
Threatray 1'067 similar samples on MalwareBazaar
TLSH T127E533067FDD89F5C2650D300BC25BA16BBEF20557AB97C3A9900E0AED346D1E2394DB
TrID 38.7% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
24.6% (.EXE) Win64 Executable (generic) (10522/11/4)
11.8% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.5% (.EXE) Win32 Executable (generic) (4504/4/1)
4.7% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:ESET-NOD32 exe Rhadamanthys signed

Code Signing Certificate

Organisation:ESET NOD32
Issuer:ESET NOD32
Algorithm:sha256WithRSAEncryption
Valid from:2025-09-24T00:00:00Z
Valid to:2027-09-24T00:00:00Z
Serial number: 35e0ccdb60049822
Intelligence: 8 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 64a0a5d3efec5acb087e49d0b195f882e4d7835ad026d63292ee5721895f16d9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a27acaf00ed9b55836f0970c4f6b359d358ee730c0b5a2d09ebb4c8be83143b1.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-10 05:28:25 UTC
Tags:
auto generic gcleaner loader inno installer delphi anti-evasion autoit lumma stealer qrcode golang
Link:
https://app.any.run/tasks/4ad132ce-ee65-402d-8d0b-73d9936ba55b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/32242/
Detection(s):
Win.Malware.7zip-10013374-0
Create hunting rule

Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e8c5d4f2ca2f143e40f4b1
Tags:
obfuscate xtreme sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Running batch commands
Creating a process with a hidden window
Launching a process
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Replacing files
Creating a file
Sending a custom TCP request
Searching for synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Сreating synchronization primitives
Connection attempt to an infection source
Unauthorized injection to a recently created process
Query of malicious DNS domain
Sending a TCP request to an infection source
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger microsoft_visual_cc overlay packed packer_detected signed stealer
Link:
https://www.filescan.io/uploads/68e8c65b71883144ef300ac3/reports/ce7f97db-6e22-4bc7-bd53-b9ce7ac71137/overview
Verdict:
Malicious
Labled as:
Malware/7zip
Link:
https://www.hybrid-analysis.com/sample/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-10-08T12:50:00Z UTC
Last seen:
2025-10-12T06:23:00Z UTC
Hits:
~100
Detections:
Trojan-Dropper.Win32.Agent.sb HEUR:Trojan.Win32.Generic HEUR:Trojan.MSIL.Agent.gen Trojan-Downloader.Win32.PsDownload.sb Trojan-Dropper.Win32.Agent.gen Trojan.Win32.SFX.sb Trojan-Dropper.Win32.Delfea.vl Trojan-Dropper.Win32.Delfea.sb Trojan-Dropper.Win32.Delf.eimp
Link:
https://opentip.kaspersky.com/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b37a8709-ff7a-4d4f-b72e-29c198d4c525
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792668
Signature
AI detected suspicious PE digital signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Contains functionality to register a low level keyboard hook
Drops password protected ZIP file
Encrypted powershell cmdline option found
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792668 Sample: cDg7f3gZac.exe Startdate: 10/10/2025 Architecture: WINDOWS Score: 100 62 cloudflare-dns.com 2->62 64 adobehelp.net 2->64 80 Antivirus detection for URL or domain 2->80 82 Antivirus detection for dropped file 2->82 84 Multi AV Scanner detection for dropped file 2->84 86 6 other signatures 2->86 11 cDg7f3gZac.exe 8 2->11         started        15 svchost.exe 2->15         started        signatures3 process4 dnsIp5 58 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 11->58 dropped 60 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 11->60 dropped 94 Contains functionality to register a low level keyboard hook 11->94 18 cmd.exe 2 11->18         started        20 OpenWith.exe 11->20         started        72 127.0.0.1 unknown unknown 15->72 file6 signatures7 process8 dnsIp9 24 wrwn1cr0.exe 3 18->24         started        27 7z.exe 2 18->27         started        29 7z.exe 3 18->29         started        31 9 other processes 18->31 66 openai-pidor-with-ai.com 178.16.53.243, 49701, 6343 DUSNET-ASDE Germany 20->66 68 cloudflare-dns.com 104.16.249.249, 443, 49700 CLOUDFLARENETUS United States 20->68 88 Found evasive API chain (may stop execution after checking mutex) 20->88 90 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->90 signatures10 process11 file12 52 C:\Users\user\AppData\Local\Temp\ycorig.exe, PE32 24->52 dropped 54 C:\Users\user\AppData\Local\Temp\win.exe, PE32 24->54 dropped 33 win.exe 1 24->33         started        36 ycorig.exe 2 24->36         started        56 C:\Users\user\AppData\Local\...\wrwn1cr0.exe, PE32 27->56 dropped process13 signatures14 74 Multi AV Scanner detection for dropped file 33->74 76 Encrypted powershell cmdline option found 33->76 38 powershell.exe 15 19 33->38         started        78 Antivirus detection for dropped file 36->78 43 WerFault.exe 19 16 36->43         started        process15 dnsIp16 70 adobehelp.net 172.67.195.189, 443, 49691 CLOUDFLARENETUS United States 38->70 50 C:\Users\user\AppData\Local\Temp\win86.exe, PE32+ 38->50 dropped 92 Powershell drops PE file 38->92 45 win86.exe 38->45         started        48 conhost.exe 38->48         started        file17 signatures18 process19 signatures20 96 Found direct / indirect Syscall (likely to bypass EDR) 45->96
Score:
88%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout SFX 7z Win 32 Exe x86
Link:
https://app.malva.re/file/45f67d65520fc67f25d4049bbe599f00
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-10-08 14:59:04 UTC
File Type:
PE (Exe)
Extracted files:
10
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zb6agkvci4n3fb5hmzp2ba7hnna2jcmjy22mwynz5crjbtusvdna._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
142a11b087745d831e0298f74f8f39a3fcf4a0dc3035c8bf1bb95517ca59fec3
Rhadamanthys
3006fbf4ad07f754a252a2d65bbd1df77abdd9361bcc53d8705ab18b6dcecc0f
Rhadamanthys
3665ea3dd2379f851bd539390cc427ae6fe713fe46001689241862083eee4716
Rhadamanthys
4eb6747cdf61ae87a0c64bd86f49ddf65c61397958a81b33d788dcdcbf61329f
Rhadamanthys
a3a87de1728f004dbbef953cd7437e31b880206ea38ec809d870110a2ce4f6f0
Rhadamanthys
e4995bb20cc990503030d8a67449d3481832f904854892f8b2c4eb0ea05342fd
Rhadamanthys
error
Rhadamanthys
+ 1'057 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion discovery
Link:
https://tria.ge/reports/251010-kj1tpssnv4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Obfuscated Files or Information: Command Obfuscation
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Badlisted process makes network request
Downloads MZ/PE file
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
Win.Malware.7zip-10013374-0
YARA:
n/a
Link:
https://app.threat.zone/submission/39b66bd1-245c-43f9-ae95-4be8b40e6030
Unpacked files
SH256 hash:
c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da
MD5 hash:
45f67d65520fc67f25d4049bbe599f00
SHA1 hash:
ce38d824aa77cd619c7de7d2bba04bedf7eb4648
Link:
https://www.unpac.me/results/d5d27510-1f3e-45ca-b015-c4870c93c43f/
SH256 hash:
d8cdb46900bfee9141e3d136fe88f788e1be748a50592f84019676514a8a9b71
MD5 hash:
19010f04c74d32ff9742cde7760195b3
SHA1 hash:
1787c34c26199cfd4f8385b3d539b7d39742643a
Link:
https://www.unpac.me/results/d5d27510-1f3e-45ca-b015-c4870c93c43f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c87c032aa2471bb287a7665fa083e76b41a48989c6b4cb61b9e8a290ce92a8da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/32242/

Comments