MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
SHA3-384 hash: 51812dc8927cb167cbbb1390ac71f602c886f482faea328bbf89c551e6cff70c9e9ee84d1227bcb7c4bd265af0a71fd3
SHA1 hash: f673965ff814dbfcb9cfea411bec5cddb3c05915
MD5 hash: 93a4a8e4a1673f125203f9df4824383f
humanhash: comet-fourteen-william-nebraska
File name:underxgame.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'703'536 bytes
First seen:2025-10-19 21:23:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 61 x Rhadamanthys)
ssdeep 24576:U5Nkc3Pzzj++HSLR/Moa/4NSeXG8FvrIOyJQ1Glwr2t/KOjyidcYfeAn3STveOjZ:4Nkmq+H+q44eW+rIjQ1Ga2tz1J7qv
Threatray 379 similar samples on MalwareBazaar
TLSH T13D75231823F0612AF2B103B4A9BB49F659317CA01FB999BF21D4B5F10B72391D636F16
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
underxgame.exe
Verdict:
Malicious activity
Analysis date:
2025-10-19 21:21:37 UTC
Tags:
autoit lumma stealer anti-evasion
Link:
https://app.any.run/tasks/214e13ac-3432-4657-bf65-0f49de0598f8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33350/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f556c5c949ca4fcbe35e50
Tags:
autorun autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
Creating a file
DNS request
Unauthorized injection to a recently created process
Сreating synchronization primitives
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Enabling autorun by creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context CAB installer invalid-signature lolbin microsoft_visual_cc packed rundll32 runonce signed
Link:
https://www.filescan.io/uploads/68f55714fd2d7e012f4b3d9c/reports/8d44fc66-d324-4d85-983b-6c8354e6b1b2/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-19T12:19:00Z UTC
Last seen:
2025-10-21T18:33:00Z UTC
Hits:
~100
Detections:
Backdoor.Win32.Agent.mywyjv Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb HEUR:Trojan.Script.Generic HEUR:Trojan.Script.AUO.gen PDM:Trojan.Win32.Generic
Link:
https://opentip.kaspersky.com/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/67cca2dd-30d9-4c1c-8b9a-9a0a0e9e262f
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1797970
Signature
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Rundll32 Execution Without Parameters
Sigma detected: Search for Antivirus process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1797970 Sample: underxgame.exe Startdate: 19/10/2025 Architecture: WINDOWS Score: 100 58 lvxRREsgYENIhNlEsJQ.lvxRREsgYENIhNlEsJQ 2->58 60 cloudflare-dns.com 2->60 70 Found malware configuration 2->70 72 Antivirus detection for URL or domain 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 5 other signatures 2->76 10 underxgame.exe 1 11 2->10         started        13 CodePulse.bat 2->13         started        16 rundll32.exe 2->16         started        signatures3 process4 file5 52 C:\Users\user\AppData\Local\...behaviorgraphazette.mil, DOS 10->52 dropped 18 cmd.exe 4 10->18         started        22 OpenWith.exe 10->22         started        25 rundll32.exe 10->25         started        86 Hijacks the control flow in another process 13->86 88 Modifies the context of a thread in another process (thread injection) 13->88 90 Injects a PE file into a foreign processes 13->90 92 Found direct / indirect Syscall (likely to bypass EDR) 13->92 27 CodePulse.bat 13->27         started        signatures6 process7 dnsIp8 50 C:\Users\user\AppData\Local\...\Touring.scr, PE32+ 18->50 dropped 78 Detected CypherIt Packer 18->78 80 Drops PE files with a suspicious file extension 18->80 29 Touring.scr 6 18->29         started        33 extrac32.exe 14 18->33         started        35 conhost.exe 18->35         started        42 4 other processes 18->42 64 cloudflare-dns.com 104.16.248.249, 443, 49723, 49725 CLOUDFLARENETUS United States 22->64 66 172.67.162.252, 443, 49724 CLOUDFLARENETUS United States 22->66 68 the-encyclopedia-of-digital-entrepreneurship-and-innovation.com 22->68 82 Found evasive API chain (may stop execution after checking mutex) 22->82 84 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->84 37 OpenWith.exe 27->37         started        40 WerFault.exe 27->40         started        file9 signatures10 process11 dnsIp12 54 C:\Users\user\AppData\Local\...\CodePulse.bat, PE32+ 29->54 dropped 94 Hijacks the control flow in another process 29->94 96 Modifies the context of a thread in another process (thread injection) 29->96 98 Injects a PE file into a foreign processes 29->98 100 Found direct / indirect Syscall (likely to bypass EDR) 29->100 44 Touring.scr 29->44         started        56 C:\Users\user\AppData\Local\...xtraordinary, VAX-order2 33->56 dropped 46 conhost.exe 33->46         started        62 the-encyclopedia-of-digital-entrepreneurship-and-innovation.com 104.21.49.123, 443, 49726 CLOUDFLARENETUS United States 37->62 file13 signatures14 process15 process16 48 WerFault.exe 2 44->48         started       
Score:
43%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/93a4a8e4a1673f125203f9df4824383f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
Threat name:
Win64.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-10-19 17:13:08 UTC
File Type:
PE+ (Exe)
Extracted files:
33
AV detection:
19 of 24 (79.17%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4rbybeyxvydsdvdx24l4di5e5dkaivalb3yl2onbpjpszqqnyq2a._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
02778067900afe0ad74783c87e7dc16247e7971d2941f536321e0192cc326170
Rhadamanthys
03723a05664cb74502e9a71ad1a6ce2d1dcdbf501b638efd0780ec246ce2b502
Rhadamanthys
2acb2ae00a60f9ac6c3fc03dd602f042c98f7033f0a2eeb79eaa879333d84b19
Rhadamanthys
3cbaa80f0bd0f9bbe90f2f75c960137f0361a790038cf4e30651c6cfccf50340
Rhadamanthys
bf99ffa607b67877a42af7dfc788553d09baabe541aec003fe9f73bcd3fa172d
Rhadamanthys
ccbcbf8d6399bce1f3df74c2e3f2919f2c343c646689ecffe3f773b68b1e04d2
Rhadamanthys
e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
Rhadamanthys
e4963c3d7294036e8ca76a517e50c5d8962269dbb800f3699a9f15e17ad271f1
Rhadamanthys
error
Rhadamanthys
f19e395f6af72b7882f8f6c1603e6d762b9c7dfa088759410b0fbc18c458854b
Rhadamanthys
+ 369 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251019-z9asjadm4w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/660f630e-acb4-45ac-8fd4-4a2cfc9a9750
Unpacked files
SH256 hash:
e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434
MD5 hash:
93a4a8e4a1673f125203f9df4824383f
SHA1 hash:
f673965ff814dbfcb9cfea411bec5cddb3c05915
Link:
https://www.unpac.me/results/bd96a274-25cd-4533-a946-96a5d2d2c467/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e443809317ae/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e443809317ae0721d477d717c1a3a4e8d404540b0ef0bd39a17a5f2cc20dc434

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33350/

Comments