MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2
SHA3-384 hash: 4bc7332f6f30d003b183ab344aaea214057cf502e5b4199e2042fd4bc2d514586781227a7be8e54560f91c382b329558
SHA1 hash: f4967a8287e4afec24f0684e529031f62dcfc9f2
MD5 hash: ad452771a6e039f2d06bd873f4705705
humanhash: india-aspen-maine-victor
File name:ad452771a6e039f2d06bd873f4705705.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'682'432 bytes
First seen:2025-03-12 17:00:20 UTC
Last seen:2025-03-12 18:04:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 24576:MY9LAxYP2nKul3TC+MrwPkvF/jwznlLq:0JKMTLYDvFS
TLSH T1C575383439EA501AB173EFA98BE474DADA6FB7733B07645D10A1038A4723A41DEC153E
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10522/11/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys


Avatar
abuse_ch
Rhadamanthys C2:
http://45.93.20.224/pNdj30Vs11/index.php

Intelligence

File Origin
# of uploads :
2
# of downloads :
466
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
ad452771a6e039f2d06bd873f4705705.exe
Verdict:
Malicious activity
Analysis date:
2025-03-12 17:01:09 UTC
Tags:
amadey botnet stealer ousaban arch-exec shellrunner loader
Link:
https://app.any.run/tasks/f606aade-b981-4571-bab5-c5f95288e8a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d1c05b4fd7d3fd0e089064
Tags:
autorun emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Сreating synchronization primitives
Creating a process from a recently created file
Creating a file
Creating a window
Searching for synchronization primitives
Searching for the window
Creating a process with a hidden window
Connecting to a non-recommended domain
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8f321d6c-822d-4c16-82c5-98ee08df6f37
Result
Threat name:
Amadey, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1636380
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject code into remote processes
Contains functionality to start a terminal service
Early bird code injection technique detected
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Amadey
Yara detected Amadeys Clipper DLL
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1636380 Sample: 9ua5N7dcBZ.exe Startdate: 12/03/2025 Architecture: WINDOWS Score: 100 105 gbg1.ntp.se 2->105 107 x.ns.gin.ntt.net 2->107 109 15 other IPs or domains 2->109 149 Suricata IDS alerts for network traffic 2->149 151 Found malware configuration 2->151 153 Malicious sample detected (through community Yara rule) 2->153 155 15 other signatures 2->155 11 Gxtuum.exe 1 17 2->11         started        15 readerupdate2.exe 2->15         started        17 9ua5N7dcBZ.exe 6 2->17         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 127 45.93.20.224, 49708, 49709, 49710 COGENT-174US Netherlands 11->127 95 C:\Users\user\AppData\...\readerupdate2.exe, PE32 11->95 dropped 97 C:\Users\user\...\readerupdate2[1].exe, PE32 11->97 dropped 22 readerupdate2.exe 6 11->22         started        26 rdha.exe 15->26         started        99 C:\Users\user\AppData\Local\...\update.exe, PE32 17->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 17->101 dropped 103 C:\Users\user\AppData\...\9ua5N7dcBZ.exe.log, ASCII 17->103 dropped 28 update.exe 5 17->28         started        129 ipv4.imgur.map.fastly.net 199.232.196.193 FASTLYUS United States 19->129 157 Switches to a custom stack to bypass stack traces 19->157 30 svchost.exe 19->30         started        32 rdha.exe 19->32         started        file6 signatures7 process8 file9 87 C:\Users\user\AppData\Local\Temp\...\rdha.exe, PE32 22->87 dropped 89 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 22->89 dropped 163 Antivirus detection for dropped file 22->163 165 Multi AV Scanner detection for dropped file 22->165 34 rdha.exe 1 22->34         started        37 svchost.exe 26->37         started        91 C:\Users\user\AppData\Local\Temp\...\g2m.dll, PE32 28->91 dropped 93 C:\Users\user\AppData\Local\...behaviorgraphxtuum.exe, PE32 28->93 dropped 167 Contains functionality to start a terminal service 28->167 169 Contains functionality to inject code into remote processes 28->169 39 Gxtuum.exe 28->39         started        171 System process connects to network (likely due to code injection or exploit) 30->171 173 Query firmware table information (likely to detect VMs) 30->173 175 Checks if the current machine is a virtual machine (disk enumeration) 30->175 177 Tries to detect sandboxes / dynamic malware analysis system (registry check) 30->177 41 svchost.exe 32->41         started        signatures10 process11 signatures12 145 Switches to a custom stack to bypass stack traces 34->145 43 svchost.exe 34->43         started        47 svchost.exe 37->47         started        147 Contains functionality to start a terminal service 39->147 49 svchost.exe 41->49         started        process13 dnsIp14 131 96.9.125.78, 1432, 49714 2ICSYSTEMSINCCA Canada 43->131 179 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 43->179 181 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->181 183 Switches to a custom stack to bypass stack traces 43->183 51 fontdrvhost.exe 43->51         started        133 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 47->133 135 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 47->135 141 5 other IPs or domains 47->141 185 Early bird code injection technique detected 47->185 187 Maps a DLL or memory area into another process 47->187 189 Queues an APC in another process (thread injection) 47->189 53 wmpnscfg.exe 47->53         started        57 msedge.exe 47->57         started        60 chrome.exe 47->60         started        62 chrome.exe 47->62         started        137 ntp.time.nl 94.198.159.14 SIDNNL Netherlands 49->137 139 gbg1.ntp.netnod.se 194.58.203.20 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 49->139 143 3 other IPs or domains 49->143 191 Tries to harvest and steal browser information (history, passwords, etc) 49->191 64 msedge.exe 49->64         started        66 chrome.exe 49->66         started        68 chrome.exe 49->68         started        signatures15 process16 dnsIp17 70 WerFault.exe 23 16 51->70         started        83 C:\Users\user\AppData\...\goopdate.dll, PE32 53->83 dropped 85 C:\Users\user\...\AvastBrowserUpdate.exe, PE32 53->85 dropped 159 Writes to foreign memory regions 53->159 161 Allocates memory in foreign processes 53->161 72 dllhost.exe 53->72         started        111 239.255.255.250 unknown Reserved 57->111 74 msedge.exe 57->74         started        77 chrome.exe 60->77         started        79 msedge.exe 64->79         started        81 chrome.exe 66->81         started        file18 signatures19 process20 dnsIp21 113 142.250.186.110 GOOGLEUS United States 74->113 115 chrome.cloudflare-dns.com 162.159.61.3 CLOUDFLARENETUS United States 74->115 125 3 other IPs or domains 77->125 117 142.250.185.174 GOOGLEUS United States 79->117 119 172.64.41.3 CLOUDFLARENETUS United States 79->119 121 142.250.185.238 GOOGLEUS United States 81->121 123 74.125.133.84 GOOGLEUS United States 81->123
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2/
Threat name:
Win32.Trojan.Donut
Create hunting rule
Status:
Malicious
First seen:
2025-03-09 23:13:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3h3omhhtstoqzoa6y3owbylakdgsakr7xzpxxy4ugwy3sqxfchza._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
donut_injector
Create hunting rule
amadey
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
amadey
Create hunting rule
Score:
  10/10
Tags:
family:amadey discovery persistence trojan
Link:
https://tria.ge/reports/250312-vj6easykx3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Downloads MZ/PE file
Amadey
Amadey family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
amadey
YARA:
n/a
Link:
https://app.threat.zone/submission/2b89223c-fc82-40b6-b71a-b3d82c43c725
Unpacked files
SH256 hash:
d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2
MD5 hash:
ad452771a6e039f2d06bd873f4705705
SHA1 hash:
f4967a8287e4afec24f0684e529031f62dcfc9f2
Link:
https://www.unpac.me/results/87af681e-b907-4593-a006-dcd7c71f36a1/
SH256 hash:
08efeab4edd8948be3ffe4eeed489b00e871164a7a1ff43a887c9eb7cd7f52c7
MD5 hash:
5074258014dd60dce155acd36b80e1e3
SHA1 hash:
68912ff253458ebddd179b4a6b6d2d5e19f70819
Link:
https://www.unpac.me/results/87af681e-b907-4593-a006-dcd7c71f36a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9f6e61cf394dd0cb81ec6dd60e16050cd202a3fbe5f7be39435b1b942e511f2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments