MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
SHA3-384 hash: 0facb4d58f3bd6b77c5e0ad97407b3e416e7b510719d19be9b6944bba5fc144cc17aa761e9c5c1bff417e6f984f56013
SHA1 hash: f57ab229258da3024cf729851f7ec09017bacc6f
MD5 hash: 7639c60353b9bb93c64192101ca60f46
humanhash: florida-vegan-juliet-hotel
File name:file
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:956'928 bytes
First seen:2025-09-03 04:00:35 UTC
Last seen:2025-09-03 12:10:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ccdf26f81c5c13d798e8a7ffab09084 (3 x Rhadamanthys, 1 x ValleyRAT)
ssdeep 24576:Z2HdJsviS8xGGBf5BSpjqxqS+qP/zMmLHu6P1fkXS:cHdKF8sG1jSBqxqS//zbHpfMS
Threatray 400 similar samples on MalwareBazaar
TLSH T1B2151242B5C3D0A3F7A304302E34EAA49D3DB6A27F215DE77198056C4AF99D7827352B
TrID 49.9% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win32 Executable (generic) (4504/4/1)
9.6% (.EXE) OS/2 Executable (generic) (2029/13)
9.5% (.EXE) Generic Win/DOS Executable (2002/3)
9.4% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter Bitsight
Tags:exe Rhadamanthys


Avatar
Bitsight
url: http://178.16.55.189/files/174733404/ZamICay.exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
73
Origin country :
US US
Vendor Threat Intelligence
Malware family:
amadey
Create hunting rule
ID:
1
File name:
045192971378a00ba54dcce7a15ce63f511315b220ef394b7eed9cb4d2b4229e.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-09-02 16:25:09 UTC
Tags:
lumma stealer themida amadey auto redline loader botnet auto-startup rdp telegram inno installer auto-reg delphi stealc purelogsstealer vidar
Link:
https://app.any.run/tasks/d39829d5-c694-4293-abaa-546a639f7c81

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/24825/
Verdict:
Clean
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b7bd93eb163e0ec1843650
Tags:
n/a
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
microsoft_visual_cc obfuscated packed packed packer_detected
Link:
https://www.filescan.io/uploads/68b7bda61c81c34281dc7b73/reports/4edeb85b-8cfe-4dd9-8e38-7b39d1fc6757/overview
Verdict:
Malicious
Labled as:
Lazy.Generic
Link:
https://www.hybrid-analysis.com/sample/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-02T13:53:00Z UTC
Last seen:
2025-09-02T13:53:00Z UTC
Hits:
~10
Detections:
Trojan-PSW.Win32.Crypt.hr Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb Trojan.Win32.Agent.sb
Link:
https://opentip.kaspersky.com/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818/results?tab=lookup
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e5939fd3-7c2f-4da1-a142-297a4c9a99ba
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Verdict:
inconclusive
YARA:
3 match(es)
Tags:
Executable PE (Portable Executable) PE File Layout Win 32 Exe x86
Link:
https://app.malva.re/file/7639c60353b9bb93c64192101ca60f46
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Threat name:
Win32.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-09-02 20:27:00 UTC
File Type:
PE (Exe)
AV detection:
21 of 24 (87.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4kuuygekkr47ei43rtwpvk5dyd5l777vcu4he7gfwc6zzdqftama._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
31e8c42f589d71d004c9e0fe8cce3b2b05b5a15296aaecf9133f24d2bec7ee30
Rhadamanthys
3c2d3dd2705831ed8bd4fc730ee21877b8a28b54455c0332e3eeba157707bcb7
Rhadamanthys
8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Rhadamanthys
98bc02b6d14300cbf6f3a3101a0491cbae627ff1b3d9a34ccaa80ca856dd2a80
Rhadamanthys
a6f1ce55528e0c52917cd8417fd51b083be0d285b09e983f43a015ba6d980af1
Rhadamanthys
c2eeeef83d6a7c470cccd364369d227ba7665b1c128f5e5128f47d508be9c4db
Rhadamanthys
c3d9dd9bab61c9f89d63481bb2bb18083dfe6f6a661310ed428b9efa893b65e7
Rhadamanthys
ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Rhadamanthys
error
Rhadamanthys
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Rhadamanthys
+ 390 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250903-elk85svxdv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Deletes itself
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4c81ca33-27ef-4d07-b15a-9f45067b243f
Unpacked files
SH256 hash:
e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
MD5 hash:
7639c60353b9bb93c64192101ca60f46
SHA1 hash:
f57ab229258da3024cf729851f7ec09017bacc6f
Link:
https://www.unpac.me/results/ff1e048f-9f02-4e42-ae28-eaed05855f45/
SH256 hash:
8855a86d2276a92e2dc38f1ce3ae709b93caba530ce75f31808c6cb0589c6395
MD5 hash:
329d6f6c5ac81e4b5d59f5ce0428e04e
SHA1 hash:
61494e8baf3cfcc7b81fc0f95e37653f4afa5b48
Link:
https://www.unpac.me/results/ff1e048f-9f02-4e42-ae28-eaed05855f45/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e2a94c188a54/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HUNTING_SUSP_TLS_SECTION
Create hunting rule
Author:chaosphere
Description:Detect PE files with .tls section that can be used for anti-debugging
Reference:Practical Malware Analysis - Chapter 16
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818

(this sample)

  
Dropped by
Amadey
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/24825/
  
URLhaus
https://urlhaus.abuse.ch/url/3611620/

Comments