MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
SHA3-384 hash: 0a63e67986553a56f7d72d85a56e1151b200a0aaaf184d861c4ca1c92161027959087547c51708ff98e5cb5adb847e5a
SHA1 hash: b27986eabc8a95cb619b5ab0cec661dcc9f11bee
MD5 hash: c80aded7ccf49bbd533b6fd83e974d4d
humanhash: lemon-mike-glucose-cola
File name:Bootstrapper.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:1'592'739 bytes
First seen:2025-07-31 10:10:54 UTC
Last seen:2025-08-01 11:24:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 32f3282581436269b3a75b6675fe3e08 (197 x LummaStealer, 122 x Rhadamanthys, 8 x CoinMiner)
ssdeep 24576:kD+EEMDaqAhZUTn7270YYhCUndfT0KP7S9cBzevBE4ISoEwpLpXi6Kgq+e:wNhAhyT8TYPnxTFacBze8SdILNiL+e
TLSH T11F753352FEE5907BD1D609F435704E1D943E7A400C3ECB0B6A4864ED7C921924F7AB7A
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 72ecdab2e4d8d8e4 (1 x Rhadamanthys)
Reporter burger
Tags:192-30-242-210 exe rh-0-9-X Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
50
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Bootstrapper.exe
Verdict:
Malicious activity
Analysis date:
2025-07-31 08:00:32 UTC
Tags:
lumma stealer autoit
Link:
https://app.any.run/tasks/71cc0aad-6e0c-4241-a236-6849d86bb2e3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17978/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688b229f0b4775fb2133d785
Tags:
autoit emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a window
Creating a file
Searching for the window
Searching for the Windows task manager window
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Launching a process
Using the Windows Management Instrumentation requests
Searching for synchronization primitives
Creating a process from a recently created file
DNS request
Sending a custom TCP request
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug blackhole installer microsoft_visual_cc overlay overlay packed
Link:
https://www.filescan.io/uploads/688b415213488cfd44e25816/reports/7ad7a847-909d-4973-9929-0f3e25a5aaae/overview
Verdict:
Malicious
Labled as:
Infostealer/Rhadamanthys
Link:
https://www.hybrid-analysis.com/sample/eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/6e75d03c-2868-4983-9393-2c67ba7889ce
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1747692
Signature
Drops PE files with a suspicious file extension
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Sigma detected: Search for Antivirus process
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1747692 Sample: Bootstrapper.exe Startdate: 31/07/2025 Architecture: WINDOWS Score: 100 82 x.ns.gin.ntt.net 2->82 84 twc.trafficmanager.net 2->84 86 6 other IPs or domains 2->86 106 Multi AV Scanner detection for submitted file 2->106 108 Yara detected RHADAMANTHYS Stealer 2->108 110 Sigma detected: Search for Antivirus process 2->110 112 Joe Sandbox ML detected suspicious sample 2->112 12 Bootstrapper.exe 25 2->12         started        15 msedge.exe 2->15         started        19 elevation_service.exe 2->19         started        21 3 other processes 2->21 signatures3 process4 dnsIp5 74 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 12->74 dropped 23 cmd.exe 1 12->23         started        102 239.255.255.250 unknown Reserved 15->102 104 Maps a DLL or memory area into another process 15->104 26 msedge.exe 15->26         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 3 other processes 15->33 file6 signatures7 process8 dnsIp9 122 Drops PE files with a suspicious file extension 23->122 35 cmd.exe 4 23->35         started        38 conhost.exe 23->38         started        96 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49714, 49718 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->96 98 ln-0007.ln-msedge.net 150.171.22.17, 443, 49706 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->98 100 9 other IPs or domains 26->100 signatures10 process11 file12 72 C:\Users\user\AppData\Local\...\Pocket.com, PE32 35->72 dropped 40 Pocket.com 35->40         started        44 extrac32.exe 15 35->44         started        46 tasklist.exe 1 35->46         started        48 2 other processes 35->48 process13 dnsIp14 94 192.30.242.210, 49690, 49733, 49734 INTELLIGENT-TECHNOLOGY-SOLUTIONSUS United States 40->94 126 Found many strings related to Crypto-Wallets (likely being stolen) 40->126 128 Switches to a custom stack to bypass stack traces 40->128 130 Found direct / indirect Syscall (likely to bypass EDR) 40->130 50 dllhost.exe 6 40->50         started        54 WerFault.exe 2 40->54         started        signatures15 process16 dnsIp17 88 time-a-g.nist.gov 129.6.15.28, 123, 59658 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 50->88 90 ntp1.net.berkeley.edu 169.229.128.134, 123, 59658 UCBUS United States 50->90 92 5 other IPs or domains 50->92 114 Early bird code injection technique detected 50->114 116 Found many strings related to Crypto-Wallets (likely being stolen) 50->116 118 Tries to harvest and steal browser information (history, passwords, etc) 50->118 120 2 other signatures 50->120 56 chrome.exe 1 50->56         started        59 msedge.exe 50->59         started        61 chrome.exe 50->61         started        63 wmlaunch.exe 50->63         started        signatures18 process19 signatures20 124 Found many strings related to Crypto-Wallets (likely being stolen) 56->124 65 chrome.exe 56->65         started        68 chrome.exe 56->68         started        70 msedge.exe 59->70         started        process21 dnsIp22 76 googlehosted.l.googleusercontent.com 142.251.41.1, 443, 49701, 49702 GOOGLEUS United States 65->76 78 127.0.0.1 unknown unknown 65->78 80 clients2.googleusercontent.com 65->80
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
Verdict:
inconclusive
YARA:
6 match(es)
Tags:
AutoIt Executable PE (Portable Executable)
Link:
https://app.malva.re/file/c80aded7ccf49bbd533b6fd83e974d4d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Suspicious
First seen:
2025-07-31 00:34:39 UTC
File Type:
PE (Exe)
Extracted files:
19
AV detection:
17 of 24 (70.83%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5nkvrvauy34w57vtbw3qi42miy7lbb2yup7kz5cs25b3ux4p4zra._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250731-l75cgavjt8/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
System Location Discovery: System Language Discovery
Enumerates processes with tasklist
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/82da9848-d859-4898-83d6-36bf4331da1f
Unpacked files
SH256 hash:
eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
MD5 hash:
c80aded7ccf49bbd533b6fd83e974d4d
SHA1 hash:
b27986eabc8a95cb619b5ab0cec661dcc9f11bee
Link:
https://www.unpac.me/results/ade2f13d-45df-4c63-b7a4-31d4d41fd8d9/
SH256 hash:
bb4fb924885b8d6719cb88e7f231abcbb7c2a1c69be92a12ce7bb56bed9129e3
MD5 hash:
094ae615109634f48bede4a612e36fc8
SHA1 hash:
a8b8cbf4d8a7f368b3ae53090bab40a2793657eb
Link:
https://www.unpac.me/results/ade2f13d-45df-4c63-b7a4-31d4d41fd8d9/
SH256 hash:
8165c7aef7de3d3e0549776535bedc380ad9be7bb85e60ad6436f71528d092af
MD5 hash:
08e9796ca20c5fc5076e3ac05fb5709a
SHA1 hash:
07971d52dcbaa1054060073571ced046347177f7
Link:
https://www.unpac.me/results/ade2f13d-45df-4c63-b7a4-31d4d41fd8d9/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/eb5558d414c6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/17978/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteW
SHELL32.dll::SHFileOperationW
SHELL32.dll::SHGetFileInfoW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetDiskFreeSpaceW
KERNEL32.dll::GetCommandLineW
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::GetWindowsDirectoryW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegQueryValueExW
ADVAPI32.dll::RegSetValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::AppendMenuW
USER32.dll::EmptyClipboard
USER32.dll::FindWindowExW
USER32.dll::OpenClipboard
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments