MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6
SHA3-384 hash: 02e55855702dc8970a55cfc64beaf5588380e3193bd19064cc740bb560a7855f8fc880e476202ab5c43f25ac5f73989b
SHA1 hash: a12f7a40d9574e2d29372903918936a466b1d9ab
MD5 hash: 719e1a49cc9fc4ee8b058ce7b4de9d3c
humanhash: cola-kansas-earth-emma
File name:719e1a49cc9fc4ee8b058ce7b4de9d3c.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'693'696 bytes
First seen:2025-07-07 13:37:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash df533905651d4d38e2f1c6b89a7d3c6a (5 x LummaStealer, 2 x Rhadamanthys, 2 x Vidar)
ssdeep 49152:ViL6ebcZzEptz377d1sntPx377d1sntP:VqB2zET7Kth7Kt
Threatray 415 similar samples on MalwareBazaar
TLSH T19075F178919592DAFC7640B7446263A5B1A2B633C2392FFF8290E3725E137C51F2D329
TrID 63.5% (.EXE) Win64 Executable (generic) (10522/11/4)
12.2% (.EXE) OS/2 Executable (generic) (2029/13)
12.0% (.EXE) Generic Win/DOS Executable (2002/3)
12.0% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
24
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
rl_cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6.exe
Verdict:
Suspicious activity
Analysis date:
2025-07-07 13:55:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f6f30f41-f1be-4a21-9721-1324e02ed7cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12694/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=686bcdd7c9eb9747376764c4
Tags:
virus zusy
Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint microsoft_visual_cc packed packed packer_detected
Link:
https://www.filescan.io/uploads/686bcdd40737c4165a924bf2/reports/bf3502c3-5525-4aa9-9818-4f3eaf0d902e/overview
Verdict:
Malicious
Labled as:
Zusy.Generic
Link:
https://www.hybrid-analysis.com/sample/cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/4dd5980f-caf8-413a-a741-5b25164da052
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1730123
Signature
.NET source code contains potential unpacker
Checks if the current machine is a virtual machine (disk enumeration)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sets debug register (to hijack the execution of another thread)
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1730123 Sample: Z434q1a6Se.exe Startdate: 07/07/2025 Architecture: WINDOWS Score: 100 34 x.ns.gin.ntt.net 2->34 36 time.facebook.com 2->36 38 4 other IPs or domains 2->38 52 Multi AV Scanner detection for submitted file 2->52 54 Yara detected RHADAMANTHYS Stealer 2->54 56 .NET source code contains potential unpacker 2->56 58 Joe Sandbox ML detected suspicious sample 2->58 9 Z434q1a6Se.exe 2->9         started        12 elevation_service.exe 2->12         started        14 elevation_service.exe 2->14         started        16 2 other processes 2->16 signatures3 process4 signatures5 70 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 9->70 72 Sets debug register (to hijack the execution of another thread) 9->72 74 Modifies the context of a thread in another process (thread injection) 9->74 76 Injects a PE file into a foreign processes 9->76 18 Z434q1a6Se.exe 3 9->18         started        process6 dnsIp7 40 ntp1.net.berkeley.edu 169.229.128.134, 123, 49584 UCBUS United States 18->40 42 ntp.time.nl 94.198.159.10, 123, 49584 SIDNNL Netherlands 18->42 44 6 other IPs or domains 18->44 60 Early bird code injection technique detected 18->60 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->62 64 Query firmware table information (likely to detect VMs) 18->64 66 11 other signatures 18->66 22 chrome.exe 1 18->22         started        25 WerFault.exe 2 18->25         started        27 chrome.exe 18->27         started        signatures8 process9 signatures10 68 Found many strings related to Crypto-Wallets (likely being stolen) 22->68 29 chrome.exe 22->29         started        32 chrome.exe 22->32         started        process11 dnsIp12 46 192.178.218.132, 443, 49730 GOOGLEUS United States 29->46 48 127.0.0.1 unknown unknown 29->48 50 2 other IPs or domains 29->50
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/719e1a49cc9fc4ee8b058ce7b4de9d3c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6/
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-07-07 12:59:19 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zpupri5coddeijxji5ejc7pbui53u5sy2q5gygwk63qyksxyel3a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
57a03250b11c9714a95849f1b49a2f91349631333469ee35d92ad020173c07b1
Rhadamanthys
80052df31374b409c3ea4c8829fb05e9c7cfa00b62a9720051ce947f9dfb4b03
Rhadamanthys
876f89e39583dd386ee1b27dd83bc2351902ca39f2c4aae641cc456993515d32
Rhadamanthys
af10403aaf9c4a14ed734cc538f0a386bd78458f9697672abacbaf595468c2c3
Rhadamanthys
cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6
Rhadamanthys
d22e4c4cbd1f551d5bfc83a34121748a7e22523e2cd62d4f354ff902452a65b5
Rhadamanthys
error
Rhadamanthys
f0780460233a9b73f1bf9bcc7b6707c9f714a7888d7feb052aa4dce190098c30
Rhadamanthys
+ 405 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/250707-qxjegasnx2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fb0215b5-d971-4d5e-9345-718db2c4169b
Unpacked files
SH256 hash:
cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6
MD5 hash:
719e1a49cc9fc4ee8b058ce7b4de9d3c
SHA1 hash:
a12f7a40d9574e2d29372903918936a466b1d9ab
Link:
https://www.unpac.me/results/08bcb61d-74ff-417c-8fa3-05a3f7da8d4f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbe8f8a3a270c64426e94748917de1a23bba7658d43a6c1acaf6e1854af822f6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/12694/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
KERNEL32.dll::GetCommandLineW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::FreeConsole
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleOutputCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::CreateWindowExA

Comments