MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
SHA3-384 hash: 40f283f0e9a67b1b7a5c686567f9e3743341e02297cc3f0492c398be9963c93be0d9947025b108f51280c3f3ebe9ee8c
SHA1 hash: d4bd13b3b86d290234c87a841b25d227bf649512
MD5 hash: 5bc353e1bcca5b437d4feffa0fc794fc
humanhash: papa-william-double-william
File name:tlses(x86).exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'861'768 bytes
First seen:2025-03-11 16:10:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 610c18ddfd048a5111991c57a9f48c59 (1 x Rhadamanthys)
ssdeep 98304:NYZClWiF/2gdhsbg7yh+UhuKp7yBg/QQabWWv6:NqC8ihsms+KZp7yAQPW26
TLSH T1F246DF365650D422D532FD388F33F9070978ACB59D2681A46BAE28CE42E96F461FC7D3
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon e0f8fafbc3f3f8d8 (41 x GCleaner, 3 x Amadey, 1 x Rhadamanthys)
Reporter aachum
Tags:CryptOne exe Rhadamanthys


Avatar
iamaachum
https://www.youtube.com/channel/UCQVwOh6Zz2v-Z_XPoBZwc8Q/community?lb=UgkxI5DzEvvgsSS61xIvwMQ7uKT0icVdpks6 => https://www.mediafire.com/folder/9bk6vr9ukoafp/gameees

Intelligence

File Origin
# of uploads :
1
# of downloads :
441
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
tlsesx86.exe
Verdict:
Malicious activity
Analysis date:
2025-03-11 16:20:38 UTC
Tags:
delphi rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/0f146aae-f8b9-4eae-8438-1e94925e880d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67d062d54fd7d3fd0e08437c
Tags:
delphi emotet cobalt
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Creating a window
Launching a process
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a recently created process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
borland_delphi invalid-signature signed
Link:
https://www.filescan.io/uploads/67d060b9e95d0f9029e77d33/reports/96f17c51-44ca-453f-9a43-944f21ed2abf/overview
Verdict:
Suspicious
Labled as:
Malware_
Link:
https://www.hybrid-analysis.com/sample/ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/939db1a9-153a-48e7-8ee2-13a5ef834515
Result
Threat name:
CryptOne, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1635433
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
Score:
94%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5r564rsn73hos4tyqgwpkmfbwze34ibww4lpbbmzcd4tr4xfo7oq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250311-tm1gsaywes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b947f3c7-e36d-4e4c-9e04-36851f653ad6
Unpacked files
SH256 hash:
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
MD5 hash:
5bc353e1bcca5b437d4feffa0fc794fc
SHA1 hash:
d4bd13b3b86d290234c87a841b25d227bf649512
Link:
https://www.unpac.me/results/fb044789-bf18-49c2-9b72-262502401ea9/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ec7bee464dfe/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd

(this sample)

Executable exe 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

  
Link
https://tria.ge/250311-tgqqdsyvcv/behavioral2
  
Delivery method
Distributed via web download
  
Dropping
SHA256 7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b
  
Dropping
MD5 b826dd92d78ea2526e465a34324ebeea

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_NXMissing Non-Executable Memory Protectioncritical
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and Threadskernel32.dll::CloseHandle
kernel32.dll::CreateThread
WIN_BASE_APIUses Win Base APIkernel32.dll::LoadLibraryExA
kernel32.dll::LoadLibraryA
kernel32.dll::GetSystemInfo
kernel32.dll::GetStartupInfoA
kernel32.dll::GetDiskFreeSpaceA
kernel32.dll::GetCommandLineA
WIN_BASE_IO_APICan Create Fileskernel32.dll::CreateFileA
kernel32.dll::FindFirstFileA
kernel32.dll::GetTempPathA
version.dll::GetFileVersionInfoSizeA
version.dll::GetFileVersionInfoA
WIN_REG_APICan Manipulate Windows Registryadvapi32.dll::RegOpenKeyExA
advapi32.dll::RegQueryValueExA
WIN_USER_APIPerforms GUI Actionsuser32.dll::ActivateKeyboardLayout
user32.dll::CreateMenu
user32.dll::FindWindowA
user32.dll::PeekMessageA
user32.dll::CreateWindowExA

Comments