MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
SHA3-384 hash: 97ce42e783bade5780e3e59996135f44b2cb5a0f4555bdb7f65aae6927f7d0fffa568f6fc6d7e779a1ed952b4a415a41
SHA1 hash: 09ffa9bab53286f9b0abd73137f75f57c0dd754c
MD5 hash: 0ad1ee024949149737edc49f83520d1c
humanhash: triple-autumn-oklahoma-wolfram
File name:0ad1ee024949149737edc49f83520d1c.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'677'424 bytes
First seen:2025-10-22 12:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4cea7ae85c87ddc7295d39ff9cda31d1 (85 x RedLineStealer, 71 x LummaStealer, 62 x Rhadamanthys)
ssdeep 24576:TfG6WCeS4xlGDAjkv6pEe84ldG+/ESeS1rkUniu0s/ktsX+qFcql8gND2yO:6xTTGDAqUV84DG+cSJliBmzOqlZNy
TLSH T19975230C56E9259AFC799F3058F607438532BD941FB889EF22C885ED0E827D5B770B26
TrID 41.1% (.EXE) Microsoft Visual C++ compiled executable (generic) (16529/12/5)
26.1% (.EXE) Win64 Executable (generic) (10522/11/4)
12.5% (.EXE) Win16 NE executable (generic) (5038/12/1)
5.1% (.ICL) Windows Icons Library (generic) (2059/9)
5.0% (.EXE) OS/2 Executable (generic) (2029/13)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
66b2da929a599a2dd10a49df9fc21fd5b8fc128c0de44e8d2457c6537c608f3a.bin.exe
Verdict:
Malicious activity
Analysis date:
2025-10-21 17:57:32 UTC
Tags:
auto generic gcleaner loader autoit auto-startup auto-sch anti-evasion rhadamanthys stealer
Link:
https://app.any.run/tasks/7c383ede-5c5d-40c4-a459-e054c5e15661

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33725/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f8c8dc3edd081eba40b264
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Launching a process
Creating a process with a hidden window
Running batch commands
Moving a file to the %temp% subdirectory
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a window
Creating a process from a recently created file
DNS request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB dllhost installer invalid-signature lolbin microsoft_visual_cc packed rundll32 runonce signed
Link:
https://www.filescan.io/uploads/68f8c8d43a79800405f0ddb7/reports/5d9cc381-4a62-4821-95af-1d3d4bd6cabb/overview
Verdict:
Malicious
Labled as:
TrojanDropper/Agent.agx
Link:
https://www.hybrid-analysis.com/sample/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
Verdict:
Malicious
File Type:
exe x64
First seen:
2025-10-21T14:02:00Z UTC
Last seen:
2025-10-22T11:24:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Script.AUO.gen Backdoor.Win32.Agent.mywynx Backdoor.Agent.UDP.C&C
Link:
https://opentip.kaspersky.com/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd/results?tab=lookup
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/fc800ff3-476b-4b5f-b0f5-3ebc83ab9f4e
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799765
Signature
C2 URLs / IPs found in malware configuration
Detected CypherIt Packer
Drops PE files with a suspicious file extension
Found direct / indirect Syscall (likely to bypass EDR)
Found malware configuration
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Dllhost.EXE Execution Anomaly
Sigma detected: Search for Antivirus process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799765 Sample: N2r9bw5yVh.exe Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 37 TWMLpOhHqHGy.TWMLpOhHqHGy 2->37 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected RHADAMANTHYS Stealer 2->53 55 3 other signatures 2->55 10 N2r9bw5yVh.exe 1 9 2->10         started        signatures3 process4 process5 12 cmd.exe 4 10->12         started        16 dllhost.exe 10->16         started        file6 35 C:\Users\user\AppData\Local\Temp\...mma.scr, PE32+ 12->35 dropped 61 Detected CypherIt Packer 12->61 63 Drops PE files with a suspicious file extension 12->63 18 Emma.scr 12->18         started        21 extrac32.exe 20 12->21         started        23 conhost.exe 12->23         started        25 4 other processes 12->25 signatures7 process8 signatures9 41 Hijacks the control flow in another process 18->41 43 Modifies the context of a thread in another process (thread injection) 18->43 45 Injects a PE file into a foreign processes 18->45 47 Found direct / indirect Syscall (likely to bypass EDR) 18->47 27 Emma.scr 18->27         started        31 conhost.exe 21->31         started        process10 dnsIp11 39 23.94.252.123, 443, 49708 AS-COLOCROSSINGUS United States 27->39 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 27->57 59 Found direct / indirect Syscall (likely to bypass EDR) 27->59 33 WerFault.exe 2 27->33         started        signatures12 process13
Score:
37%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt CAB:COMPRESSION:LZX CAB:COMPRESSION:MSZIP Executable PDB Path PE (Portable Executable) PE File Layout Win 64 Exe x64
Link:
https://app.malva.re/file/0ad1ee024949149737edc49f83520d1c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
Threat name:
Win64.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-10-22 12:07:41 UTC
File Type:
PE+ (Exe)
Extracted files:
33
AV detection:
17 of 24 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5km7b3op2qu33pljnstgzxylvcqantqcreakbyaqw222jexo77gq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence
Link:
https://tria.ge/reports/251022-n946laem3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates processes with tasklist
Suspicious use of SetThreadContext
Adds Run key to start application
Executes dropped EXE
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3a9b6ed5-3783-48a9-9741-333f370c8c28
Unpacked files
SH256 hash:
ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd
MD5 hash:
0ad1ee024949149737edc49f83520d1c
SHA1 hash:
09ffa9bab53286f9b0abd73137f75f57c0dd754c
Link:
https://www.unpac.me/results/ebdf0ed6-8dcc-4368-bfdb-018b031de74e/
Malware family:
GoInjector
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea99f0edcfd4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/ea99f0edcfd429bdbd696ca66cdf0ba8a006ce028900a0e010b6b5a492eeffcd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:detect_Redline_Stealer
Create hunting rule
Author:Varp0s
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33725/

Comments