MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 1 File information Comments

SHA256 hash:	d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007
SHA3-384 hash:	170b2b73426b5fe8a35cc8c3c9fad9fe4c2a76c324fcd35588041d735cba10a15e4df9fa8ce3a974183d972d0648e0ff
SHA1 hash:	9ff801dde14ef7dfbdf3d52718eb1fe3a583aa1b
MD5 hash:	ec959ce4eea0a762ae4b7e5dd6538aba
humanhash:	illinois-hawaii-kilo-papa
File name:	Setup_Pro.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	1'638'400 bytes
First seen:	2025-11-02 13:58:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 70 x LummaStealer, 61 x Rhadamanthys)
ssdeep	49152:VjgZIRxCxvFI+jhe7Z/6fGrTQAjNV0uyD:+Zsx+NFjhetCaQAhVty
Threatray	292 similar samples on MalwareBazaar
TLSH	T1EE75236A57F8643AE359837442F5900B6A30F8607FE453EF2AC582B96D717C1AD32B07
TrID	41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5) 26.1% (.EXE) Win64 Executable (generic) (10522/11/4) 12.5% (.EXE) Win16 NE executable (generic) (5038/12/1) 5.1% (.ICL) Windows Icons Library (generic) (2059/9) 5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	aachum
Tags:	23-26-237-117 23-26-237-237 AutoIT CypherIT exe Rhadamanthys

iamaachum

https://finalpremium.cfd/vortex-1/ => https://mega.nz/file/6x5XjDra#vW2mft3M1snDSBMwFTySXsDpgTPpeTnUwJ02yAarnVg

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Setup_Pro.exe

Verdict:

Malicious activity

Analysis date:

2025-11-02 13:45:48 UTC

Tags:

autoit

Link:

https://app.any.run/tasks/bf2c84c9-e305-49ce-8f0d-490eaea0b862

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34998/

Detection(s):

SecuriteInfo.com.Trojan.KillProc2.18834.UNOFFICIAL

Verdict:

Malicious

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=6907608c706befaf4ecb22d4

Tags:

autoit emotet

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Launching a process

Creating a process with a hidden window

Running batch commands

Moving a file to the %temp% subdirectory

Using the Windows Management Instrumentation requests

Searching for synchronization primitives

Creating a window

Creating a process from a recently created file

DNS request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Gathering data

Verdict:

Malicious

Labled as:

Win/malicious_confidence_90%

Link:

https://www.hybrid-analysis.com/sample/d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007

Verdict:

Malicious

File Type:

exe x64

First seen:

2025-11-01T10:57:00Z UTC

Last seen:

2025-11-03T20:00:00Z UTC

Hits:

~100

Detections:

HEUR:Trojan-Dropper.Win32.Agent.gen HEUR:Trojan.Script.AUO.gen

Link:

https://opentip.kaspersky.com/d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/8c913f75-3398-4b89-8aa0-0144a5be2aad

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1806494

Signature

Checks if the current machine is a virtual machine (disk enumeration)

Detected CypherIt Packer

Drops PE files with a suspicious file extension

Found direct / indirect Syscall (likely to bypass EDR)

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sigma detected: Search for Antivirus process

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

98%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007

Verdict:

inconclusive

YARA:

6 match(es)

Tags:

AutoIt CAB:COMPRESSION:LZX Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64

Link:

https://app.malva.re/file/ec959ce4eea0a762ae4b7e5dd6538aba

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007/

Verdict:

Malicious

Threat:

Trojan.Script.AUO

Link:

https://tip.neiki.dev/file/d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007

Threat name:

Win64.Malware.Heuristic

Status:

Malicious

First seen:

2025-11-02 01:26:03 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

15 of 36 (41.67%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3h2nqns4d5gk57yxdzysxizkpyjswewz6ersu6w2j4jyluk6eadq._file

Verdict:

malicious

Label(s):

smokeloader

rhadamanthys

Rhadamanthys

285403b51c4897c5aa8ff01c2d5d13d018381454b69b07c6a5bd92312091e1d5

Rhadamanthys

4ede371503e24bc910542dd8164deb8e8395ee5f0e0d0cc0408f51a17f40ace1

Rhadamanthys

52dd5ff3704a1d0be979be5a99be19054f5717fe3bc7ff9e7609d211417fb917

Rhadamanthys

56d76ae1d2fe513e9de273d623b46aea8c944413a1e78015d72cdf910c1b091a

Rhadamanthys

5df8dc57b9b97522aadc906667f82a1185e6bbee062ae9fbaba297b1ccc57b58

Rhadamanthys

6c58064777ef165869c15b19dba9097e4fa66890344cf6346d4f10239d0c0415

Rhadamanthys

738210b7ab282c0a2357a333a6ce02d61fcc1f9c1ddb69d380c9fa9bee686cee

Rhadamanthys

946d29dd4c5436460dd2b4a1c0966d701248df529c8a51a64f1b63ab05baeba9

Rhadamanthys

9915d0cb9587f1b4dc6a30e923a4a40c225ffa9b88a360c0bb3acfec216fd206

Rhadamanthys

error

Rhadamanthys

+ 282 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

defense_evasion discovery persistence

Link:

https://tria.ge/reports/251102-ramdaabv4h/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Enumerates processes with tasklist

Suspicious use of SetThreadContext

Adds Run key to start application

Executes dropped EXE

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/5a7ce58d-4e3b-4f17-ae29-a34742173b9c

Unpacked files

SH256 hash:

d9f4d8365c1f4caeff171e712ba32a7e132b12d9f1232a7ada4f1385d15e2007

MD5 hash:

ec959ce4eea0a762ae4b7e5dd6538aba

SHA1 hash:

9ff801dde14ef7dfbdf3d52718eb1fe3a583aa1b

Link:

https://www.unpac.me/results/3d5c0787-afaf-45db-878e-9e37c0ec4388/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/d9f4d8365c1f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.