MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
SHA3-384 hash: a071d325e5ecb02e4c2c0200037664c748a2794fce3f452c2980596f579f1cacebd1fe325ea9e45283cf4ed4c66b795c
SHA1 hash: 549361aecb89334a83dc8cc4db3584d7d53303c0
MD5 hash: 4122a873f73877f75ef67530bcad84f0
humanhash: echo-neptune-yankee-arizona
File name:Loader.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'787'976 bytes
First seen:2025-08-22 11:07:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5fd7a64f782f2a19b3a934fcf8a06b19 (11 x Rhadamanthys)
ssdeep 98304:hHOnKw5jIxoFldPId+4BPG2jQj1f40dKDXMXdDCkI8379QBaWhf4K2y6KNywrZdC:tK95VdPnwGeQmmKDXMthIf4KBskT2Zwe
Threatray 228 similar samples on MalwareBazaar
TLSH T1D56623AB05CA80F5D9D51038557B8E8A3272CE974C81CC2F2EC879499DB1EBEA077D17
TrID 30.2% (.EXE) Win64 Executable (generic) (10522/11/4)
18.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
14.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
12.9% (.EXE) Win32 Executable (generic) (4504/4/1)
5.9% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
dhash icon e0c0d2b0bce2e470 (7 x Rhadamanthys, 2 x Stealc, 2 x CoinMiner)
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2025-08-22 11:05:43 UTC
Tags:
rhadamanthys stealer anti-evasion shellcode loader confuser pastebin
Link:
https://app.any.run/tasks/e9f56d72-029a-4bce-881e-50c5471afb33

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22932/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a84f848fd55a79c52a37d9
Tags:
vmprotect injection spawn virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Connecting to a non-recommended domain
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Sending an HTTP GET request to an infection source
Running batch commands
Unauthorized injection to a system process
Stealing user critical data
Connection attempt to an infection source
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
invalid-signature overlay packed redcap signed threat
Link:
https://www.filescan.io/uploads/68a84fba7137d6845837b687/reports/cf70c236-f923-4d31-a18f-1d54c2a49aac/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-22T08:17:00Z UTC
Last seen:
2025-08-22T08:17:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb Trojan-PSW.Win32.Rhadamanthys.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb
Link:
https://opentip.kaspersky.com/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/503530fe-af89-4351-b866-51b5c3638a97
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1762857
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found malware configuration
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Suspicious execution chain found
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1762857 Sample: Loader.exe Startdate: 22/08/2025 Architecture: WINDOWS Score: 100 93 x.ns.gin.ntt.net 2->93 95 ts1.aco.net 2->95 97 6 other IPs or domains 2->97 123 Found malware configuration 2->123 125 Malicious sample detected (through community Yara rule) 2->125 127 Antivirus detection for dropped file 2->127 129 12 other signatures 2->129 12 Loader.exe 2->12         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 153 Switches to a custom stack to bypass stack traces 12->153 22 OpenWith.exe 12->22         started        155 Changes security center settings (notifications, updates, antivirus, firewall) 15->155 26 conhost.exe 17->26         started        28 schtasks.exe 17->28         started        99 127.0.0.1 unknown unknown 19->99 signatures6 process7 dnsIp8 101 94.154.35.99, 1888, 49721, 49736 SELECTELRU Ukraine 22->101 149 Deletes itself after installation 22->149 151 Switches to a custom stack to bypass stack traces 22->151 30 dllhost.exe 5 22->30         started        signatures9 process10 dnsIp11 109 time-a-g.nist.gov 129.6.15.28, 123, 53501 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 30->109 111 ntp.time.nl 94.198.159.10, 123, 53501 SIDNNL Netherlands 30->111 113 6 other IPs or domains 30->113 89 C:\Users\user\AppData\Local\...\Qo(5[oN1(.exe, PE32+ 30->89 dropped 91 C:\Users\user\AppData\Local\...\1_W_VY.exe, PE32 30->91 dropped 115 Early bird code injection technique detected 30->115 117 Tries to harvest and steal browser information (history, passwords, etc) 30->117 119 Maps a DLL or memory area into another process 30->119 121 Queues an APC in another process (thread injection) 30->121 35 Qo(5[oN1(.exe 9 2 30->35         started        39 1_W_VY.exe 30->39         started        41 wmpnscfg.exe 30->41         started        43 2 other processes 30->43 file12 signatures13 process14 file15 85 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 35->85 dropped 131 Antivirus detection for dropped file 35->131 133 Multi AV Scanner detection for dropped file 35->133 135 Query firmware table information (likely to detect VMs) 35->135 147 4 other signatures 35->147 45 cmd.exe 1 35->45         started        48 powershell.exe 35->48         started        50 cmd.exe 35->50         started        63 14 other processes 35->63 87 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 39->87 dropped 137 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->137 139 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 39->139 141 Queries memory information (via WMI often done to detect virtual machines) 39->141 52 cmd.exe 39->52         started        54 cmd.exe 39->54         started        143 Writes to foreign memory regions 41->143 145 Allocates memory in foreign processes 41->145 56 dllhost.exe 41->56         started        59 chrome.exe 43->59         started        61 chrome.exe 43->61         started        signatures16 process17 dnsIp18 157 Uses schtasks.exe or at.exe to add and modify task schedules 45->157 65 net.exe 1 45->65         started        67 conhost.exe 45->67         started        159 Loading BitLocker PowerShell Module 48->159 69 conhost.exe 48->69         started        71 WmiPrvSE.exe 48->71         started        77 2 other processes 50->77 73 conhost.exe 52->73         started        75 schtasks.exe 52->75         started        79 2 other processes 54->79 103 178.16.54.246, 44133, 49740, 49746 DUSNET-ASDE Germany 56->103 105 googlehosted.l.googleusercontent.com 142.250.176.193, 443, 49734 GOOGLEUS United States 59->105 107 clients2.googleusercontent.com 59->107 81 14 other processes 63->81 signatures19 process20 process21 83 net1.exe 1 65->83         started       
Score:
86%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/4122a873f73877f75ef67530bcad84f0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-22 11:14:36 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z2i4adcgi65raq7buhw7ocsq3nv3zewuqcwvifb5iczrvdcu4tqa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
21410f2d5da769fab3f5c9d3d2f6aeec19d1f7b4d2a04e1370491aece6517a0a
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Rhadamanthys
bad586a884eb7b1edcafc832a9ecf192e85b084d0e9b77423b9e5494ed7d44e2
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
+ 218 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250822-m8vp4afr9w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4ed21031-b082-4365-aa50-9f65dd5a4a9e
Unpacked files
SH256 hash:
ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
MD5 hash:
4122a873f73877f75ef67530bcad84f0
SHA1 hash:
549361aecb89334a83dc8cc4db3584d7d53303c0
Link:
https://www.unpac.me/results/87b44e39-6346-4743-86fe-b31ba9e59d1d/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ce91c00c4647/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/22932/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryA
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileMappingW

Comments