MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058
SHA3-384 hash:	4a2626c7f7f583a9d8fea955c94157f864ce5a911f1146ee81550cbab2e220537f42fca8ca3368adcb18de15f7e3d0a2
SHA1 hash:	3b4f25559f59a9870a24ba301becc230151237c6
MD5 hash:	b76ad2ef81e39f716dcb20432a92040d
humanhash:	sweet-quiet-jersey-paris
File name:	QuantumLoaderV4.25.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	2'814'464 bytes
First seen:	2025-05-28 14:55:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	5f19202fbd07b5784d311e4ad6521ff2 (2 x Rhadamanthys)
ssdeep	49152:otUChjoXcSKg0d3Kbb0zN83V80g3VYLl07ZvQ0Lr2SR1pizGy:otnoXcSt0d7p83VX2eLl0Nrcyy
Threatray	7 similar samples on MalwareBazaar
TLSH	T175D5120E48F20C79C6897EF20D669D5C71B62DA440C18D2EDAECDE47DD3BA6216B134B
TrID	29.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 22.7% (.EXE) Win16 NE executable (generic) (5038/12/1) 20.3% (.EXE) Win32 Executable (generic) (4504/4/1) 9.1% (.EXE) OS/2 Executable (generic) (2029/13) 9.0% (.EXE) Generic Win/DOS Executable (2002/3)
Magika	pebin
Reporter	Anonymous
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

551

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

QuantumLoaderV4.25.exe

Verdict:

Malicious activity

Analysis date:

2025-05-28 14:58:18 UTC

Tags:

stealer rhadamanthys shellcode loader pastebin winring0x64-sys vuln-driver

Link:

https://app.any.run/tasks/dba4653c-ec16-4bef-8963-3d0d3398373c

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/6060/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen3.40477.27951.30959.UNOFFICIAL

Verdict:

Malicious

Score:

95.7%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68372410668438e362e7b7e0

Tags:

virus spawn remo

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Launching a process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

microsoft_visual_cc packed packed packer_detected

Link:

https://www.filescan.io/uploads/683723e7171e01f9592f9bcf/reports/cd977217-4256-4850-b99a-85a005649faf/overview

Verdict:

Malicious

Labled as:

Mikey.Generic

Link:

https://www.hybrid-analysis.com/sample/ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/594933e4-e31b-4be0-87dd-d2b7abf5c9c8

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/1700839

Signature

Deletes itself after installation

Joe Sandbox ML detected suspicious sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Switches to a custom stack to bypass stack traces

Uses Windows timers to delay execution

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058/

Threat name:

Win32.Trojan.Rhadamanthys

Status:

Malicious

First seen:

2025-05-28 06:51:32 UTC

File Type:

PE (Exe)

AV detection:

19 of 24 (79.17%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5ijmw7vhgt47bpb6fxiuwtqly4j4xmksadgejwrcataxtad2sbma._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

1e342385819a0605226b411fe5748f75b33af63ed7d42c30bf61ab361cfa310f

Rhadamanthys

57fb3950a9eaeeb3cb4d922f81eea4979aea1cafb15e75efa59dafe91f7ce9b5

Rhadamanthys

64b5ab61bf52abbad72621534950c673c3a58589088ac471ce50795cf406eab9

Rhadamanthys

a63060468bd709eff8ab35c0cf0abab5b1e4818e189f00dd1338b52307715ec8

Rhadamanthys

d9099dc0e0b217beca26b3d9074df946a34bd5cad3b6bba5e1473b5395de927b

Rhadamanthys

ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058

Rhadamanthys

error

Rhadamanthys

Result

Malware family:

n/a

Score:

10/10

Tags:

discovery

Link:

https://tria.ge/reports/250528-sapdbaxwav/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System Location Discovery: System Language Discovery

Deletes itself

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/f8519c59-d288-4aa5-b2e3-929bec7f2e49

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ea12cb7ea734/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.98

Link:

https://yomi.yoroi.company/submissions/ea12cb7ea734f9f0bc3e2dd14b4e0bc713cbb15200cc44da2204c179807a9058

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	golang_bin_JCorn_CSC846 Create hunting rule
Author:	Justin Cornwell
Description:	CSC-846 Golang detection ruleset

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/6060/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::LoadLibraryA

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample