MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218
SHA3-384 hash: af9852b73ca6ba8d13f369199bf58a5d08ee46184a51dab09fabe09ed6b610749278e2d0c0a3aea1dc05b21b6e3f616d
SHA1 hash: 71cfc6d359b1a69a7eb5678344c93b9a76236658
MD5 hash: 705ddef986065a8f8a2036439d1a60f6
humanhash: three-pizza-utah-coffee
File name:RobloxHacks.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'583'014 bytes
First seen:2025-08-14 20:28:18 UTC
Last seen:2025-08-15 18:10:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:YaaJL7mmdpwppasl7ImOPLqB6lEcZBXHkNWT94s/+WX5Gx8wrOKd7/1Al3SmkfL8:CLb5sdMPW0lKYms/NXUXLilC9LNax
Threatray 1'583 similar samples on MalwareBazaar
TLSH T1547533431ACEC1E6E1F615B029F62983147DA9A51664FB0F97C4CDEE7332A09C96CB07
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 1ee6676765a5a59a (1 x Rhadamanthys)
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RobloxHacks.exe
Verdict:
Malicious activity
Analysis date:
2025-08-14 20:27:49 UTC
Tags:
autoit rhadamanthys shellcode
Link:
https://app.any.run/tasks/1e0dade1-ed61-417c-b38a-6a3ca2954243

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21449/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689e46f748c64d68735c6e36
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
installer microsoft_visual_cc obfuscated overlay packed packed packer_detected
Link:
https://www.filescan.io/uploads/689e46fa397fd3ce6fa9c979/reports/b2c94354-d3b7-4426-bb90-3202c0406036/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/f089eb67-8bac-487a-9bab-e6f62a8da14f
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757418
Signature
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Antivirus detection for dropped file
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Detected CypherIt Packer
Detected Stratum mining protocol
Disable Windows Defender notifications (registry)
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found malware configuration
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757418 Sample: RobloxHacks.exe Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 130 x.ns.gin.ntt.net 2->130 132 twc.trafficmanager.net 2->132 134 7 other IPs or domains 2->134 172 Found malware configuration 2->172 174 Antivirus detection for dropped file 2->174 176 Multi AV Scanner detection for submitted file 2->176 178 8 other signatures 2->178 15 RobloxHacks.exe 29 2->15         started        18 svchost.exe 2->18         started        21 cmd.exe 2->21         started        23 10 other processes 2->23 signatures3 process4 file5 128 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 15->128 dropped 25 cmd.exe 1 15->25         started        158 Changes security center settings (notifications, updates, antivirus, firewall) 18->158 28 MpCmdRun.exe 1 18->28         started        30 conhost.exe 21->30         started        32 schtasks.exe 21->32         started        34 WerFault.exe 2 23->34         started        signatures6 process7 signatures8 184 Detected CypherIt Packer 25->184 186 Drops PE files with a suspicious file extension 25->186 36 cmd.exe 4 25->36         started        39 conhost.exe 25->39         started        41 conhost.exe 28->41         started        43 conhost.exe 28->43         started        process9 file10 120 C:\Users\user\AppData\...\Bankruptcy.pif, PE32 36->120 dropped 122 C:\Users\user\AppData\Local\Temp\482119\B, data 36->122 dropped 45 Bankruptcy.pif 36->45         started        48 extrac32.exe 16 36->48         started        50 tasklist.exe 1 36->50         started        52 2 other processes 36->52 process11 signatures12 192 Switches to a custom stack to bypass stack traces 45->192 54 OpenWith.exe 45->54         started        58 WerFault.exe 2 45->58         started        process13 dnsIp14 136 cloudflare-dns.com 104.16.248.249, 443, 49722, 49736 CLOUDFLARENETUS United States 54->136 138 45.141.233.250, 1888, 49723 ASDETUKhttpwwwheficedcomGB Bulgaria 54->138 140 nexus-cloud-360.com 54->140 180 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 54->180 182 Switches to a custom stack to bypass stack traces 54->182 60 dllhost.exe 5 54->60         started        signatures15 process16 dnsIp17 152 nexus-cloud-360.com 60->152 154 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 60->154 156 8 other IPs or domains 60->156 124 C:\Users\user\AppData\Local\...\W`036`xY.exe, PE32 60->124 dropped 126 C:\Users\user\AppData\Local\...\@g}.exe, PE32+ 60->126 dropped 194 System process connects to network (likely due to code injection or exploit) 60->194 196 Early bird code injection technique detected 60->196 198 Tries to harvest and steal browser information (history, passwords, etc) 60->198 200 2 other signatures 60->200 65 @g}.exe 60->65         started        69 W`036`xY.exe 60->69         started        71 wmplayer.exe 60->71         started        73 2 other processes 60->73 file18 signatures19 process20 dnsIp21 116 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 65->116 dropped 160 Antivirus detection for dropped file 65->160 162 Query firmware table information (likely to detect VMs) 65->162 164 Modifies windows update settings 65->164 170 3 other signatures 65->170 76 powershell.exe 65->76         started        79 cmd.exe 65->79         started        81 sc.exe 65->81         started        94 4 other processes 65->94 118 C:\Users\user\AppData\...\UserOOBEBroker.exe, PE32 69->118 dropped 83 cmd.exe 69->83         started        85 cmd.exe 69->85         started        166 Writes to foreign memory regions 71->166 168 Allocates memory in foreign processes 71->168 87 dllhost.exe 71->87         started        150 192.168.2.4, 1888, 44133, 443 unknown unknown 73->150 90 chrome.exe 73->90         started        92 chrome.exe 73->92         started        file22 signatures23 process24 dnsIp25 188 Loading BitLocker PowerShell Module 76->188 110 2 other processes 76->110 96 net.exe 79->96         started        98 conhost.exe 79->98         started        100 conhost.exe 81->100         started        190 Uses schtasks.exe or at.exe to add and modify task schedules 83->190 102 conhost.exe 83->102         started        104 schtasks.exe 83->104         started        106 conhost.exe 85->106         started        108 timeout.exe 85->108         started        142 45.141.233.252, 44133, 49741 ASDETUKhttpwwwheficedcomGB Bulgaria 87->142 144 googlehosted.l.googleusercontent.com 142.251.40.129, 443, 49733, 49734 GOOGLEUS United States 90->144 146 127.0.0.1 unknown unknown 90->146 148 clients2.googleusercontent.com 90->148 112 3 other processes 94->112 signatures26 process27 process28 114 net1.exe 96->114         started       
Score:
98%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable PE (Portable Executable)
Link:
https://app.malva.re/file/705ddef986065a8f8a2036439d1a60f6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218
Threat name:
Win32.Spyware.Lummac
Create hunting rule
Status:
Suspicious
First seen:
2025-08-14 10:23:51 UTC
File Type:
PE (Exe)
Extracted files:
18
AV detection:
16 of 24 (66.67%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2oksbvkfihakrafccpigu2esyffbwywavvecvvkcp3satmu6yima._file
Verdict:
malicious
Label(s):
unc_loader_058
Create hunting rule
Similar samples:
21410f2d5da769fab3f5c9d3d2f6aeec19d1f7b4d2a04e1370491aece6517a0a
Rhadamanthys
2e13d573b457b30b459d7597c46dd2e69e0288fdb08b0e392e6ad3bbe38f9112
Rhadamanthys
6a232c8c2bbdc5d00a6d2aad9e9d748b9f2b02fe0bb158da3ba41f0563ecf54f
Rhadamanthys
d50564939caa156776eb0dc91e5f07c3a4ea2ad84d846d9081221a51d782da72
Rhadamanthys
d8c6419597f856644f24171b59f84a45beeb042d465343d5ca57b4832c17157f
Rhadamanthys
error
Rhadamanthys
+ 1'573 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250814-y891kazl17/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/831e8d8f-b9e2-4bfb-9155-3cde356601d4
Unpacked files
SH256 hash:
d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218
MD5 hash:
705ddef986065a8f8a2036439d1a60f6
SHA1 hash:
71cfc6d359b1a69a7eb5678344c93b9a76236658
Link:
https://www.unpac.me/results/eeba9f09-7c5c-4930-b19b-3906dcb0963a/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/eeba9f09-7c5c-4930-b19b-3906dcb0963a/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/eeba9f09-7c5c-4930-b19b-3906dcb0963a/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/d39520d54541/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d39520d54541c0a880a213d06a6892c14a1b62c0ad482ad5427ee409b29ec218

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/21449/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments