MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 16

Intelligence 16 IOCs YARA 16 File information Comments

SHA256 hash:	d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389
SHA3-384 hash:	b1d9d081a4c4ef05b94367d9ee77996b6d067c8f515edcde57b74ac9d175fb3f808765a15e3b540ece3bd7ea229a1ae1
SHA1 hash:	2ddc94be0034cadf884cd82cb9555966fa47f90b
MD5 hash:	ff16d278706c6e0ef3ba1c1a3a61fbd8
humanhash:	minnesota-butter-texas-north
File name:	DropCheats.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	2'954'712 bytes
First seen:	2025-10-26 18:07:08 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d42595b695fc008ef2c56aabd8efd68e (92 x Rhadamanthys, 70 x Vidar, 41 x LummaStealer)
ssdeep	49152:ypkax8zTEWr/JwbjqfTiHaQd16fIHvLlFluqKwFluqKzg:yuEk/Jwbjq2H3d16fI0dFdE
Threatray	415 similar samples on MalwareBazaar
TLSH	T174D57DD7ACF008A5D8599F35C9A25292F735BC052B3223D72A60B7B82F727C16D36B14
TrID	44.4% (.EXE) Win64 Executable (generic) (10522/11/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	burger
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DropCheats.exe

Verdict:

Malicious activity

Analysis date:

2025-10-26 18:07:02 UTC

Tags:

golang stealer websocket rhadamanthys

Link:

https://app.any.run/tasks/9bcae138-8c82-416c-a7a0-364e5797091f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34187/

Verdict:

Malicious

Score:

99.1%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68fe63463bdc93eb05649dbd

Tags:

obfusc virus crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending a custom TCP request

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

anti-vm golang infostealer invalid-signature lumma overlay packed redcap signed

Link:

https://www.filescan.io/uploads/68fe636211ff3db29f68acc8/reports/40d5f228-4a58-44aa-a35b-bf35515aee21/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-10-25T06:02:00Z UTC

Last seen:

2025-10-27T19:00:00Z UTC

Hits:

~100

Detections:

Trojan.Win64.SBEscape.sb HEUR:Trojan.Win64.Generic VHO:Trojan.Win64.Kryptik.gen

Link:

https://opentip.kaspersky.com/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389/results?tab=lookup

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/82b220da-7ec3-44a8-803d-8214e7d8bb95

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.spyw.evad.mine

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1802079

Signature

Allocates memory in foreign processes

Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)

Early bird code injection technique detected

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Queues an APC in another process (thread injection)

Tries to detect sandboxes / dynamic malware analysis system (Installed program check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Bitcoin Wallet information

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

46%

Verdict:

Susipicious

File Type:

Link:

https://malprob.io/report/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/ff16d278706c6e0ef3ba1c1a3a61fbd8

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

Threat name:

Win64.Adware.RedCap

Status:

Malicious

First seen:

2025-10-25 22:21:05 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

1/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2n4ov7jpesxzhp6uje3im6viluvxqq2lp7iesyhx5vuw6m33ioeq._file

Verdict:

malicious

Label(s):

smokeloader

rhadamanthys

Rhadamanthys

82628076e3c04a65f04a70b0fb727c43e6ab2e428ce7922b008451dbf7e57b31

Rhadamanthys

8bf0ab02e9370d26ed8b4fb7cf39a8d7708b69a31b406836598f2515d25f2be2

Rhadamanthys

8e5cf26558db5868c159ab2542892508e961e9a029215744139d680c69a69310

Rhadamanthys

a175866ee7d1de8b338c5879dca1794f6ec32a18b1a0f3ff47a6fa87e33f761f

Rhadamanthys

b4fd170f2d56421678f4743cba758fb69779b4bfd0f77202dbfc760d8ed1c8e5

Rhadamanthys

c418cf7d01ec6ff4a6cd9c6881e01a806d911e60e68f228b925acf3afc74d505

Rhadamanthys

d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

Rhadamanthys

d44b1975dc89972c3be507225df6ba9acbed927dac1523d831df0271db3a810a

Rhadamanthys

d813b9c2a13e3e2d7423a2496a8d7397df8135cf0376d1fad06cb3af794a651e

Rhadamanthys

error

Rhadamanthys

+ 405 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

n/a

Link:

https://tria.ge/reports/251026-wqh31stjfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/c4ad2987-3bf2-4e5e-9096-14103ee2fa70

Unpacked files

SH256 hash:

d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

MD5 hash:

ff16d278706c6e0ef3ba1c1a3a61fbd8

SHA1 hash:

2ddc94be0034cadf884cd82cb9555966fa47f90b

Link:

https://www.unpac.me/results/e42b4bea-f2df-47bb-a06f-82b55edc214b/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d378eafd2f24/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

DriveBy Activity

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/d378eafd2f24af93bfd44936867aa85d2b78434b7fd04960f7ed696f337b4389

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	command_and_control Create hunting rule
Author:	CD_R0M_
Description:	This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group

Rule name:	CP_Script_Inject_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	Detects attempts to inject code into another process across PE, ELF, Mach-O binaries

Rule name:	DebuggerException__SetConsoleCtrl Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DetectGoMethodSignatures Create hunting rule
Author:	Wyatt Tauber
Description:	Detects Go method signatures in unpacked Go binaries

Rule name:	Detect_Go_GOMAXPROCS Create hunting rule
Author:	Obscurity Labs LLC
Description:	Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	Golangmalware Create hunting rule
Author:	Dhanunjaya
Description:	Malware in Golang

Rule name:	golang_binary_string Create hunting rule
Description:	Golang strings present

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	golang_duffcopy_amd64 Create hunting rule

Rule name:	HiveRansomware Create hunting rule
Author:	Dhanunjaya
Description:	Yara Rule To Detect Hive V4 Ransomware

Rule name:	PE_Digital_Certificate Create hunting rule
Author:	albertzsigovits

Rule name:	ProgramLanguage_Golang Create hunting rule
Author:	albertzsigovits
Description:	Application written in Golang programming language

Rule name:	SEH__vectored Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	ThreadControl__Context Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/34187/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample