MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
SHA3-384 hash: 2b4d6367bf83e3d8cba7777efc58b2f910cbbc1de4ca1ef24be4bfe80717ff89e12fb8953438ed36e73ef2e821378663
SHA1 hash: 99dc484fac5a96b1c876cc3363536af5c7e70141
MD5 hash: 6421ed9ef1740a9d264f23267dbf5122
humanhash: fourteen-island-table-july
File name:Loader.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'557'024 bytes
First seen:2025-06-11 17:10:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad8a4543abdc3e318903868096e4e243 (1 x Rhadamanthys)
ssdeep 98304:NPMguag2judUt8TtNzDfL/jJk+nhHHsPN+:NPpua3t8ZNnDFk+nc8
Threatray 141 similar samples on MalwareBazaar
TLSH T12F46E074F2D3BC37F163933FD899846196697F429E8F53A01EFC1A5C2ABA5868404363
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon e89898d899a9a198 (1 x Rhadamanthys)
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
556
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Loader.exe
Verdict:
Malicious activity
Analysis date:
2025-06-11 17:05:46 UTC
Tags:
delphi
Link:
https://app.any.run/tasks/728dbd81-57c1-465b-8479-51bb9aa6bbad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9022/
Detection(s):
SecuriteInfo.com.Win32.MalwareX-gen.28897.23246.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6849b7698bd5d68a12e7c0c4
Tags:
injection delphi obfusc crypt
Result
Verdict:
Clean
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context borland_delphi expired-cert fingerprint invalid-signature keylogger packed signed
Link:
https://www.filescan.io/uploads/6849b89bfd02ed5e05a49881/reports/c5496759-e1fe-43e8-8325-c70824773c24/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/011ec28c-51c4-4dca-ae7a-59e80d336b9e
Result
Threat name:
CryptOne, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1712540
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Detected unpacking (changes PE section rights)
Disable Windows Defender notifications (registry)
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes / dynamic malware analysis system (Installed program check)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1712540 Sample: Loader.exe Startdate: 11/06/2025 Architecture: WINDOWS Score: 100 111 gbg1.ntp.se 2->111 113 ts1.aco.net 2->113 115 7 other IPs or domains 2->115 139 Malicious sample detected (through community Yara rule) 2->139 141 Multi AV Scanner detection for submitted file 2->141 143 Yara detected RHADAMANTHYS Stealer 2->143 145 8 other signatures 2->145 13 Loader.exe 2 2->13         started        17 msedge.exe 2->17         started        20 elevation_service.exe 2->20         started        22 3 other processes 2->22 signatures3 process4 dnsIp5 101 C:\Users\user\AppData\...\svchost015.exe, PE32 13->101 dropped 103 C:\Users\user\AppData\Local\...\svc7B23.tmp, PE32 13->103 dropped 165 Writes to foreign memory regions 13->165 167 Found hidden mapped module (file has been removed from disk) 13->167 169 Maps a DLL or memory area into another process 13->169 24 svchost015.exe 13->24         started        109 239.255.255.250 unknown Reserved 17->109 27 msedge.exe 17->27         started        30 msedge.exe 17->30         started        32 msedge.exe 17->32         started        34 msedge.exe 17->34         started        file6 signatures7 process8 dnsIp9 153 Switches to a custom stack to bypass stack traces 24->153 36 OpenWith.exe 24->36         started        133 pastebin.com 27->133 135 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49713, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->135 137 10 other IPs or domains 27->137 signatures10 155 Connects to a pastebin service (likely for C&C) 133->155 process11 dnsIp12 125 180.178.189.34, 49692, 49723, 49724 GALAXY-AS-APGalaxyBroadbandPK Pakistan 36->125 147 Switches to a custom stack to bypass stack traces 36->147 40 OpenWith.exe 8 36->40         started        signatures13 process14 dnsIp15 127 time-a-g.nist.gov 129.6.15.28, 123, 61010 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 40->127 129 ntp1.net.berkeley.edu 169.229.128.134, 123, 61010 UCBUS United States 40->129 131 6 other IPs or domains 40->131 97 C:\Users\user\AppData\Local\...\nXdR.exe, PE32+ 40->97 dropped 99 C:\Users\user\AppData\Local\...\)sBDn.exe, PE32 40->99 dropped 157 Early bird code injection technique detected 40->157 159 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->159 161 Tries to steal Mail credentials (via file / registry access) 40->161 163 7 other signatures 40->163 45 nXdR.exe 40->45         started        49 )sBDn.exe 40->49         started        51 wmplayer.exe 40->51         started        53 3 other processes 40->53 file16 signatures17 process18 file19 105 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 45->105 dropped 171 Query firmware table information (likely to detect VMs) 45->171 173 Modifies windows update settings 45->173 175 Adds a directory exclusion to Windows Defender 45->175 177 Disable Windows Defender notifications (registry) 45->177 55 powershell.exe 45->55         started        58 cmd.exe 45->58         started        60 sc.exe 45->60         started        71 10 other processes 45->71 107 C:\ProgramData\...\UserOOBEBroker.exe, PE32 49->107 dropped 179 Detected unpacking (changes PE section rights) 49->179 181 Creates an undocumented autostart registry key 49->181 183 Tries to detect sandboxes / dynamic malware analysis system (registry check) 49->183 62 cmd.exe 49->62         started        64 cmd.exe 49->64         started        185 Writes to foreign memory regions 51->185 187 Allocates memory in foreign processes 51->187 66 dllhost.exe 51->66         started        69 chrome.exe 53->69         started        73 2 other processes 53->73 signatures20 process21 dnsIp22 149 Loading BitLocker PowerShell Module 55->149 75 conhost.exe 55->75         started        77 net.exe 58->77         started        79 conhost.exe 58->79         started        81 conhost.exe 60->81         started        151 Uses schtasks.exe or at.exe to add and modify task schedules 62->151 87 2 other processes 62->87 89 2 other processes 64->89 117 213.209.150.143, 4233, 49725 KEMINETAL Germany 66->117 119 googlehosted.l.googleusercontent.com 142.251.40.225, 443, 49701 GOOGLEUS United States 69->119 121 127.0.0.1 unknown unknown 69->121 123 clients2.googleusercontent.com 69->123 83 conhost.exe 71->83         started        85 conhost.exe 71->85         started        91 8 other processes 71->91 signatures23 process24 process25 93 net1.exe 77->93         started        95 Conhost.exe 81->95         started       
Score:
97%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-06-11 17:05:46 UTC
File Type:
PE (Exe)
Extracted files:
62
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3j4w4m2ikkjdwykt6cl2eecoz2nu5g6qs3om7qyuu6unpj7e4iaa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
095b0a89ef2484e672af40ae72288ac65151d637351d9a1dcebbbf048138d46e
Rhadamanthys
0a5bb6b29e70f99c51cc97726ceab44771dca068cc5d56780c9abf71662bb287
Rhadamanthys
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Rhadamanthys
50cd136e622549f640a06120c22c47fb566c4555be8d94fa6740af74b9db489e
Rhadamanthys
6136c6fc5919bc7e677e087f3616830d25d993f366bd9bfbf5a1a28f1285a438
Rhadamanthys
64b5ab61bf52abbad72621534950c673c3a58589088ac471ce50795cf406eab9
Rhadamanthys
8e3fdb3882dcbe771400e696f7f66480960c46b42f95cc49edd00edb252c9c26
Rhadamanthys
a2f1fa7763b8c5a8b4a79e63262f6b8bcdd7e019ac86bfc9b95f0422a874047d
Rhadamanthys
c2e99b8ec6f48cd608d399db524711f08275477f9959c9e962b8175aaf3627b2
Rhadamanthys
d9099dc0e0b217beca26b3d9074df946a34bd5cad3b6bba5e1473b5395de927b
Rhadamanthys
error
Rhadamanthys
+ 131 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250611-vpylmseq4z/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5cf7685c-9662-4223-a7b2-71dcd74f6ef8
Unpacked files
SH256 hash:
da796e334852923b6153f097a2104ece9b4e9bd096dccfc314a7a8d7a7e4e200
MD5 hash:
6421ed9ef1740a9d264f23267dbf5122
SHA1 hash:
99dc484fac5a96b1c876cc3363536af5c7e70141
Link:
https://www.unpac.me/results/4c07ef31-c5b8-4267-a42a-6bf272477872/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/da796e334852/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/9022/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments