MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef
SHA3-384 hash: 2a2a4d008642cca88e8ac969810da2a59e4664c950445b4447ba27ba96c9ac945cc28f5cd8c75c19ffd81050af497618
SHA1 hash: fee28aa24ae8494a423fe1fbae143c191a482154
MD5 hash: 3418148af40083d5d6949cd663a28b86
humanhash: texas-comet-september-washington
File name:v1.7.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'921'096 bytes
First seen:2025-09-12 18:37:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5ae8da8d195503ea36a6c31c6043ecb8 (23 x Rhadamanthys)
ssdeep 196608:6Ko10vYDjvjPnqf5oHzwjpRIXgvEBgujD/Ef:6f0QDvCfqHUCXt/jo
Threatray 320 similar samples on MalwareBazaar
TLSH T11F6622DD189580A4D6CD073C761AFAAA22B20EF75762881C7D8874C5DD37BAF602D4CE
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
120
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
v1.7.exe
Verdict:
Malicious activity
Analysis date:
2025-09-12 18:36:28 UTC
Tags:
rhadamanthys stealer anti-evasion loader
Link:
https://app.any.run/tasks/124e3a9d-9d37-429b-9ba9-89e1ab52faa2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/27244/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68c4684cd49ea3f1e4b4c46c
Tags:
obfusc crypt overt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Сreating synchronization primitives
Launching a process
Using the Windows Management Instrumentation requests
Detecting VM
Sending a custom TCP request
DNS request
Connection attempt
Connecting to a non-recommended domain
Sending a UDP request
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context invalid-signature overlay packed signed
Link:
https://www.filescan.io/uploads/68c46866b29d966a312b91b5/reports/b5c26d08-c797-43ed-9583-b2884ac6158c/overview
Verdict:
Malicious
Labled as:
Midie.Generic
Link:
https://www.hybrid-analysis.com/sample/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-12T15:46:00Z UTC
Last seen:
2025-09-12T15:46:00Z UTC
Hits:
~100
Detections:
Trojan-PSW.Win32.Rhadamanthys.sb Trojan-Dropper.Win32.Injector.sb Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7a7249e4-7765-4758-a3f5-0ea629f20ee7
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1776700
Signature
Adds a directory exclusion to Windows Defender
AI detected suspicious PE digital signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Checks if the current machine is a virtual machine (disk enumeration)
Deletes itself after installation
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Found PHP interpreter
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses powercfg.exe to modify the power settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1776700 Sample: v1.7.exe Startdate: 12/09/2025 Architecture: WINDOWS Score: 100 92 x.ns.gin.ntt.net 2->92 94 time.google.com 2->94 96 7 other IPs or domains 2->96 118 Antivirus detection for dropped file 2->118 120 Multi AV Scanner detection for dropped file 2->120 122 Multi AV Scanner detection for submitted file 2->122 124 7 other signatures 2->124 12 v1.7.exe 2->12         started        15 svchost.exe 2->15         started        17 cmd.exe 2->17         started        19 8 other processes 2->19 signatures3 process4 signatures5 148 Found PHP interpreter 12->148 150 Found many strings related to Crypto-Wallets (likely being stolen) 12->150 152 Switches to a custom stack to bypass stack traces 12->152 21 OpenWith.exe 12->21         started        154 Changes security center settings (notifications, updates, antivirus, firewall) 15->154 25 conhost.exe 17->25         started        27 schtasks.exe 17->27         started        process6 dnsIp7 98 178.16.53.243, 49724, 6343 DUSNET-ASDE Germany 21->98 100 cloudflare-dns.com 104.16.249.249, 443, 49722 CLOUDFLARENETUS United States 21->100 102 openai-diversifies-with-ai.com 21->102 140 Query firmware table information (likely to detect VMs) 21->140 142 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->142 144 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->144 146 4 other signatures 21->146 29 dllhost.exe 5 21->29         started        signatures8 process9 dnsIp10 112 openai-diversifies-with-ai.com 29->112 114 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 29->114 116 10 other IPs or domains 29->116 88 C:\Users\user\AppData\Local\...\qu7]TG.exe, PE32+ 29->88 dropped 90 C:\Users\user\AppData\Local\...\JsU$y_f7.exe, PE32 29->90 dropped 162 System process connects to network (likely due to code injection or exploit) 29->162 164 Early bird code injection technique detected 29->164 166 Found many strings related to Crypto-Wallets (likely being stolen) 29->166 168 3 other signatures 29->168 34 qu7]TG.exe 9 2 29->34         started        38 JsU$y_f7.exe 29->38         started        40 wmlaunch.exe 29->40         started        42 2 other processes 29->42 file11 signatures12 process13 file14 84 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 34->84 dropped 126 Antivirus detection for dropped file 34->126 128 Multi AV Scanner detection for dropped file 34->128 130 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 34->130 138 5 other signatures 34->138 44 cmd.exe 1 34->44         started        47 powershell.exe 34->47         started        49 cmd.exe 34->49         started        62 15 other processes 34->62 86 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 38->86 dropped 132 Queries memory information (via WMI often done to detect virtual machines) 38->132 51 cmd.exe 38->51         started        53 cmd.exe 38->53         started        134 Writes to foreign memory regions 40->134 136 Allocates memory in foreign processes 40->136 55 dllhost.exe 40->55         started        58 chrome.exe 42->58         started        60 chrome.exe 42->60         started        signatures15 process16 dnsIp17 156 Uses schtasks.exe or at.exe to add and modify task schedules 44->156 158 Uses powercfg.exe to modify the power settings 44->158 64 net.exe 1 44->64         started        66 conhost.exe 44->66         started        160 Loading BitLocker PowerShell Module 47->160 68 conhost.exe 47->68         started        70 WmiPrvSE.exe 47->70         started        76 2 other processes 49->76 72 conhost.exe 51->72         started        74 schtasks.exe 51->74         started        78 2 other processes 53->78 104 178.16.54.246 DUSNET-ASDE Germany 55->104 106 googlehosted.l.googleusercontent.com 142.250.217.129, 443, 49736 GOOGLEUS United States 58->106 108 127.0.0.1 unknown unknown 58->108 110 clients2.googleusercontent.com 58->110 80 17 other processes 62->80 signatures18 process19 process20 82 net1.exe 1 64->82         started       
Score:
74%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-09-12 18:37:02 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
20 of 24 (83.33%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z62stfxiwkn5teae5whwtcpuzfnqu3kmce6likcqyzgv66zq2hxq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
23c1cc72414686be0d639cb7539a696c7816628286d7190dd4d1246ebb9bee6c
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
7318d8ba13163a478dbc19f16c0a742f84721121bd8016be27a228a5b1aac86b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
c2eeeef83d6a7c470cccd364369d227ba7665b1c128f5e5128f47d508be9c4db
Rhadamanthys
c3d9dd9bab61c9f89d63481bb2bb18083dfe6f6a661310ed428b9efa893b65e7
Rhadamanthys
ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Rhadamanthys
error
Rhadamanthys
+ 310 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250912-w9q8qsxpx7/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/8fbdbfc6-123d-4fb6-af7e-a05cdbdda906
Unpacked files
SH256 hash:
cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef
MD5 hash:
3418148af40083d5d6949cd663a28b86
SHA1 hash:
fee28aa24ae8494a423fe1fbae143c191a482154
Link:
https://www.unpac.me/results/c94ee119-e58b-4833-8234-ddbcbf20b66f/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cfb52996e8b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/cfb52996e8b29bd99004ed8f6989f4c95b0a6d4c113cb42850c64d5f7b30d1ef

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/27244/

Comments