MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 9


Intelligence 9 IOCs YARA 19 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99
SHA3-384 hash: 93b02fd01dd9ed4506ed522554771aac23d957e4c445495037ac6cea8356edc7c0299e85c4f375c7082d62a858563d3f
SHA1 hash: e4b93d89f63999c82d93d6169dd4901363b09b6c
MD5 hash: 8d6a483c8683cc45bc49a3e037d59d2e
humanhash: nevada-sink-saturn-maine
File name:Setup.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:16'392'392 bytes
First seen:2025-07-16 11:55:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a3e93e4db5390cecb566f4d008213a02 (1 x Rhadamanthys)
ssdeep 196608:k+CsmYmqTUXflRmWO7WlGFZ6kTyWnVFVM7VlRO:kD5XfvGFZ9Waiz
Threatray 185 similar samples on MalwareBazaar
TLSH T11DF68D0BA1E910D8D1BAD078CD5B9603EBB2B80903F156EB17D085E92E67BE07E7D711
TrID 48.7% (.EXE) Win64 Executable (generic) (10522/11/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
dhash icon 33f0c09696c0f033 (3 x LummaStealer, 3 x Rhadamanthys, 2 x Stealc)
Reporter aachum
Tags:185-76-243-167 62-133-60-102 exe Rhadamanthys


Avatar
iamaachum
https://ihecountry.pro/?data=M1YyCeT3wXR50nJ&pub_id=12&made=wXZH8QocC6E4im5R7WBvNMY0pTjP1Kdkg9aubO3rAzlSeh2tJn&site_id=22&yes=gWO5QveloyVkiFa0Bs6hpL9zcE3XYR => https://mega.nz/file/v8wjkZob#M6UazDGmKbMUwRGVdW4VvQKpZJ1tkEfwt0RdbJmWZJ8

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Setup.exe
Verdict:
Malicious activity
Analysis date:
2025-07-16 11:58:52 UTC
Tags:
stealer rhadamanthys shellcode
Link:
https://app.any.run/tasks/a1619f07-2fff-447e-a416-3632ba6201b8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14828/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6877937784b37dd61eef0549
Tags:
dropper virus spawn
Result
Verdict:
Malware
Maliciousness:

Behaviour
Adding an access-denied ACE
Creating a window
Сreating synchronization primitives
Launching a process
Launching the default Windows debugger (dwwin.exe)
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Connection attempt
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm cmd evasive explorer fingerprint greyware invalid-signature lolbin microsoft_visual_cc obfuscated packed packed packer_detected remote rundll32 signed
Link:
https://www.filescan.io/uploads/687793468a7d628a81b22ede/reports/1f79509c-a2a5-447d-b91c-ecf452fb80f1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6dbedc58-a4bd-47e6-a474-44a3ba209713
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1738016
Signature
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hides threads from debuggers
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses Windows timers to delay execution
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
PE
Link:
https://malprob.io/report/e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
Executable PDB Path PE (Portable Executable) Win 64 Exe x64
Link:
https://app.malva.re/file/8d6a483c8683cc45bc49a3e037d59d2e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4e5arlos7457fvyv7fyebhrgosv77l435qznblu2qq5qoginf2mq._file
Verdict:
malicious
Label(s):
shellterloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
0a5bb6b29e70f99c51cc97726ceab44771dca068cc5d56780c9abf71662bb287
Rhadamanthys
1cfc3b32aeb66367c054ac339add02b24805f90a3d0b53bd61b4670d0edf8a55
Rhadamanthys
1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f
Rhadamanthys
3a52d91b4d116a614f2a76d7fd58b88c086f28375942368c8b913796000a43db
Rhadamanthys
48a53f98414985216dbe0c501bb8e07f83b97a46f0a855ca434620e46674ee99
Rhadamanthys
68423337cfd3e0f262e5b14fd462744952c9ae99909df3db11056b94b95eda2c
Rhadamanthys
90368efed1cb835dcb06176b71d5309dc4c46e414812013ecfc72178ba8498d3
Rhadamanthys
a2f1fa7763b8c5a8b4a79e63262f6b8bcdd7e019ac86bfc9b95f0422a874047d
Rhadamanthys
e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99
Rhadamanthys
error
Rhadamanthys
f0da32d32434afbef48cc3b0fdc24c61b88ab4c8de2efb892a0797769f01b2d3
Rhadamanthys
+ 175 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/250716-n3s5ratk16/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a28428c1-eb4a-488e-8574-45782fbc8056
Unpacked files
SH256 hash:
e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99
MD5 hash:
8d6a483c8683cc45bc49a3e037d59d2e
SHA1 hash:
e4b93d89f63999c82d93d6169dd4901363b09b6c
Link:
https://www.unpac.me/results/30f8b5f5-5879-4187-bb66-ad61bafa4027/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang
Create hunting rule
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:identity_golang
Create hunting rule
Author:Eric Yocam
Description:find Golang malware
Rule name:Indicator_MiniDumpWriteDump
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects PE files and PowerShell scripts that use MiniDumpWriteDump either through direct imports or string references
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:skip20_sqllang_hook
Create hunting rule
Author:Mathieu Tartare <mathieu.tartare@eset.com>
Description:YARA rule to detect if a sqllang.dll version is targeted by skip-2.0. Each byte pattern corresponds to a function hooked by skip-2.0. If $1_0 or $1_1 match, it is probably targeted as it corresponds to the hook responsible for bypassing the authentication.
Reference:https://www.welivesecurity.com/
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe e13a08add2ff3bf2d715f970409e2674abffaf9bec32d0ae9a843b07190d2e99

(this sample)

  
Link
https://tria.ge/250716-nq98hadq7w/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/14828/

Comments