MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
SHA3-384 hash: 65e9f095377cccaf6efc4f1f1af3fb009feaaa946fd69f4aa9c57b72bd00dbc6f4ad952b98d736311dff8567fdce9bbc
SHA1 hash: 211d1f6996f307997a66b6342c63cf615a968167
MD5 hash: e1e4c4fc6a335b5b21b02c0ca8e2b95f
humanhash: lemon-eleven-oven-iowa
File name:ValorantHack.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'597'279 bytes
First seen:2025-09-18 18:51:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 49152:Q3jJsB2oaSU+BFHX04WfnxbZND/CHaKUBl7Rafm:ajJszaSU+LE4udb/C6KUBtRafm
Threatray 654 similar samples on MalwareBazaar
TLSH T112753390BAC29978E1F01FB048B6431748EDF87C4960972F2365E48EB976781E85D7B3
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ValorantHack.exe
Verdict:
Malicious activity
Analysis date:
2025-09-17 09:59:51 UTC
Tags:
autoit anti-evasion stealer rhadamanthys
Link:
https://app.any.run/tasks/809b55f7-6a17-4e56-9165-639f1529f002

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/28201/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68cc54ab246a2631bd30bcc9
Tags:
autoit emotet cobalt
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug blackhole infostealer installer microsoft_visual_cc nsis overlay startpage
Link:
https://www.filescan.io/uploads/68cc54d4254431b688d38de0/reports/329658ce-a5d9-4eb5-9df0-cf4517f70f39/overview
Verdict:
Malicious
Labled as:
Trojan_Win32_Wacatac_B_ml
Link:
https://www.hybrid-analysis.com/sample/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-09-16T08:29:00Z UTC
Last seen:
2025-09-16T08:29:00Z UTC
Hits:
~100
Detections:
VHO:Backdoor.Win32.Agent.gen Backdoor.Agent.UDP.C&C Trojan.Win32.Autoit.sb HEUR:Trojan.Win32.Autoit.gen HEUR:Trojan.Script.Generic HEUR:Trojan.Script.AUO.gen
Link:
https://opentip.kaspersky.com/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/12da011f-f2a5-43d8-b323-f85457e42a30
Result
Threat name:
RHADAMANTHYS, Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1780317
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Detected CypherIt Packer
Disable Windows Defender notifications (registry)
Drops PE files with a suspicious file extension
Drops PE files with benign system names
Early bird code injection technique detected
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies windows update settings
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Search for Antivirus process
Sigma detected: Stop EventLog
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1780317 Sample: ValorantHack.exe Startdate: 18/09/2025 Architecture: WINDOWS Score: 100 124 x.ns.gin.ntt.net 2->124 126 twc.trafficmanager.net 2->126 128 9 other IPs or domains 2->128 172 Antivirus detection for dropped file 2->172 174 Multi AV Scanner detection for dropped file 2->174 176 Multi AV Scanner detection for submitted file 2->176 178 7 other signatures 2->178 15 ValorantHack.exe 25 2->15         started        18 msedge.exe 2->18         started        21 svchost.exe 3 4 2->21         started        23 4 other processes 2->23 signatures3 process4 dnsIp5 122 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 15->122 dropped 25 cmd.exe 1 15->25         started        130 192.168.2.24 unknown unknown 18->130 132 192.168.2.25 unknown unknown 18->132 134 239.255.255.250 unknown Reserved 18->134 28 msedge.exe 18->28         started        31 msedge.exe 18->31         started        33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        37 WerFault.exe 2 21->37         started        file6 process7 dnsIp8 182 Detected CypherIt Packer 25->182 184 Drops PE files with a suspicious file extension 25->184 39 cmd.exe 4 25->39         started        42 conhost.exe 25->42         started        152 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49713, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->152 154 ln-0007.ln-dc-msedge.net 150.171.23.17, 443, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 28->154 156 11 other IPs or domains 28->156 signatures9 process10 file11 116 C:\Users\user\AppData\Local\Temp\...\Jr.pif, PE32 39->116 dropped 44 Jr.pif 39->44         started        47 extrac32.exe 17 39->47         started        49 tasklist.exe 1 39->49         started        51 2 other processes 39->51 process12 signatures13 188 Switches to a custom stack to bypass stack traces 44->188 53 OpenWith.exe 44->53         started        57 WerFault.exe 2 44->57         started        process14 dnsIp15 142 openai-diversifies-with-ai.com 2.58.56.225, 49692, 6343 SOFTNET-ASInternetServiceProviderinSloveniaandSouthE Netherlands 53->142 144 cloudflare-dns.com 104.16.248.249, 443, 49691, 49727 CLOUDFLARENETUS United States 53->144 180 Switches to a custom stack to bypass stack traces 53->180 59 dllhost.exe 8 53->59         started        signatures16 process17 dnsIp18 146 openai-diversifies-with-ai.com 59->146 148 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 59->148 150 9 other IPs or domains 59->150 118 C:\Users\user\AppData\Local\...\x4o)A.exe, PE32+ 59->118 dropped 120 C:\Users\user\AppData\Local\...\L2GUa.exe, PE32+ 59->120 dropped 190 System process connects to network (likely due to code injection or exploit) 59->190 192 Early bird code injection technique detected 59->192 194 Tries to harvest and steal browser information (history, passwords, etc) 59->194 196 2 other signatures 59->196 64 L2GUa.exe 59->64         started        68 x4o)A.exe 59->68         started        70 chrome.exe 59->70         started        72 2 other processes 59->72 file19 signatures20 process21 file22 112 C:\ProgramData\Microsoft\...\WmiPrvSE.exe, PE32+ 64->112 dropped 158 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 64->158 160 Query firmware table information (likely to detect VMs) 64->160 162 Modifies windows update settings 64->162 170 3 other signatures 64->170 74 powershell.exe 64->74         started        77 cmd.exe 64->77         started        79 sc.exe 64->79         started        90 5 other processes 64->90 114 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32+ 68->114 dropped 164 Multi AV Scanner detection for dropped file 68->164 166 Queries memory information (via WMI often done to detect virtual machines) 68->166 168 Drops PE files with benign system names 68->168 81 cmd.exe 68->81         started        83 chrome.exe 70->83         started        86 chrome.exe 70->86         started        88 msedge.exe 72->88         started        signatures23 process24 dnsIp25 186 Loading BitLocker PowerShell Module 74->186 92 conhost.exe 74->92         started        94 WmiPrvSE.exe 74->94         started        96 net.exe 77->96         started        98 conhost.exe 77->98         started        100 conhost.exe 79->100         started        102 conhost.exe 81->102         started        136 googlehosted.l.googleusercontent.com 142.250.31.132, 443, 49702 GOOGLEUS United States 83->136 138 127.0.0.1 unknown unknown 83->138 140 2 other IPs or domains 83->140 104 conhost.exe 90->104         started        106 conhost.exe 90->106         started        108 3 other processes 90->108 signatures26 process27 process28 110 net1.exe 96->110         started       
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
Verdict:
inconclusive
YARA:
5 match(es)
Tags:
Executable NSIS Installer PE (Portable Executable) PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/e1e4c4fc6a335b5b21b02c0ca8e2b95f
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
Threat name:
Win32.Malware.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2025-09-16 14:26:32 UTC
File Type:
PE (Exe)
Extracted files:
17
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hoizdkpakrkym7ycc6vjrvrpb47yesp6os3rhzh27aupzwfx6ga._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
34adda0535a9e54bbc979c755bf7a4cd69aa5a1cf82f8a4ed60b8be068fb0977
Rhadamanthys
3c2d3dd2705831ed8bd4fc730ee21877b8a28b54455c0332e3eeba157707bcb7
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
99f9692c01489daaec146807f05e426b9dd73be2d880fb0a1648c0e990aaeb15
Rhadamanthys
b87a083343939a8260bb395af58b09dd699f8a4525aa8f6786210c3b1c691653
Rhadamanthys
c0aa63620a1c4f2802976720db29f0afd8b2a08b0a48ac0710365bde6837eb9a
Rhadamanthys
e2a94c188a5479f2239b8cecfaaba3c0fabffff51538727cc5b0bd9c8e059818
Rhadamanthys
error
Rhadamanthys
+ 644 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250918-xhwjtazwew/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Drops file in Windows directory
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ce0d123e-522b-4738-a33c-d78b02c4094f
Unpacked files
SH256 hash:
e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c
MD5 hash:
e1e4c4fc6a335b5b21b02c0ca8e2b95f
SHA1 hash:
211d1f6996f307997a66b6342c63cf615a968167
Link:
https://www.unpac.me/results/73ff5360-6396-4f0a-ad77-d833ec7917f9/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/73ff5360-6396-4f0a-ad77-d833ec7917f9/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/73ff5360-6396-4f0a-ad77-d833ec7917f9/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e9dc8c8d4f02/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9dc8c8d4f02a2ac33f810bd54c6b17879fc124ff3a5b89f27d7c147e6c5bf8c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/28201/

Comments