MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 16

Intelligence 16 IOCs YARA File information Comments

SHA256 hash:	ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727
SHA3-384 hash:	cc20c605002a470064256fcc27c41b211746c7b737fe973aa6dd4ff106a227a66083e10c47f2f1719a156c033e52b9e8
SHA1 hash:	ece48a447ef6be44b15b2e4898ad666d6b711f08
MD5 hash:	f52af822796c183cf9e2dccc91c48d59
humanhash:	fanta-burger-nuts-coffee
File name:	random.exe
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	2'021'376 bytes
First seen:	2025-11-03 11:59:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2eabe9054cad5152567f0699947a2c5b (2'852 x LummaStealer, 1'312 x Stealc, 1'026 x Healer)
ssdeep	49152:1ha6kOwonoRbRy2uIhITgqQkXTkX9+htAK5I+:7aPOwoo9wnIqTtVTkt+hqKK+
Threatray	2'125 similar samples on MalwareBazaar
TLSH	T1B59533DF8C29A5ECDA9BC3722877814746387E29947AFDC4E05C61A4AF5624C1EF301B
TrID	27.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 20.8% (.EXE) Win16 NE executable (generic) (5038/12/1) 18.6% (.EXE) Win32 Executable (generic) (4504/4/1) 8.5% (.ICL) Windows Icons Library (generic) (2059/9) 8.3% (.EXE) OS/2 Executable (generic) (2029/13)
Magika	pebin
Reporter	abuse_ch
Tags:	exe Rhadamanthys

Intelligence

File Origin

# of uploads :

# of downloads :

106

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

random.exe

Verdict:

Malicious activity

Analysis date:

2025-11-03 12:10:06 UTC

Tags:

rhadamanthys stealer websocket

Link:

https://app.any.run/tasks/88ca574a-f3bc-4f54-be35-5f88b55d9d2e

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35146/

Detection(s):

SecuriteInfo.com.Trojan.Lumma-1.UNOFFICIAL

Verdict:

Malicious

Score:

92.5%

Link:

https://cyber-fortress.com/docs/result/index.php?id=690899e99942f1282ecba8b7

Tags:

overt spawn crypt

Result

Verdict:

Malware

Maliciousness:

Behaviour

Сreating synchronization primitives

Searching for analyzing tools

Creating a window

Launching a process

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Unauthorized injection to a system process

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm crypt microsoft_visual_cc obfuscated overlay overlay packed packed themidawinlicense zero

Link:

https://www.filescan.io/uploads/69089b2bde25fddba062c317/reports/ee52cb6e-a595-492f-b7d6-100eb616868c/overview

Verdict:

Malicious

Labled as:

Symmi.Generic

Link:

https://www.hybrid-analysis.com/sample/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

Verdict:

Malicious

File Type:

exe x32

First seen:

2025-11-02T06:10:00Z UTC

Last seen:

2025-11-04T03:37:00Z UTC

Hits:

~10

Detections:

Trojan.Win32.Strab.sb HEUR:Trojan-PSW.Win32.Lumma.pef HEUR:Trojan-PSW.Win32.Generic Trojan.Win64.SBEscape.sb

Link:

https://opentip.kaspersky.com/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727/results?tab=lookup

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/efb51d69-ee55-43f6-a3cb-3cb964ee6e5e

Result

Threat name:

RHADAMANTHYS

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1806881

Signature

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Hides threads from debuggers

Multi AV Scanner detection for submitted file

PE file contains section with special chars

Potentially malicious time measurement code found

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Yara detected RHADAMANTHYS Stealer

Behaviour

Behavior Graph:

Download SVG

Score:

100%

Verdict:

Malware

File Type:

Link:

https://malprob.io/report/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

Verdict:

inconclusive

YARA:

4 match(es)

Tags:

Executable PE (Portable Executable) PE File Layout Win 32 Exe x86

Link:

https://app.malva.re/file/f52af822796c183cf9e2dccc91c48d59

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727/

Verdict:

Malicious

Threat:

Family.RHADAMANTHYS

Link:

https://tip.neiki.dev/file/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

Threat name:

Win32.Trojan.Symmi

Status:

Malicious

First seen:

2025-11-02 18:04:41 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 36 (72.22%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5zsey73w5ce6ysc2kqvtay7kzblmt2544hasi3eray3wefzc64tq._file

Verdict:

malicious

Label(s):

rhadamanthys

Rhadamanthys

551863be2e92aa2d319a92cda72bc2123233ee3a7e965ee691fd70d88c21d772

Rhadamanthys

55d8dc6d475a919fe7ec17bd2575cf0f0a1eec913dba89f9556b69621eec0eb6

Rhadamanthys

5dfcdc1c491fbf2f7f2fbac6bbf27b84be652583b66b252c46e8ed86577c3c60

Rhadamanthys

67fd31f9b85ca5e31e0851c8a5f8f2f36343d884aa3dd7f26d4aa6c5d02b28fe

Rhadamanthys

9a577c544360db41918b2d1890ae1abf2407e734f77d307ef8828a151d8252d4

Rhadamanthys

a509d90eaa00df8640c180439726fc0ed487dc30d236e19d1fc1514782e23671

Rhadamanthys

b5d44eb79bb60df60b30f4157e958cb1a84c6ed93f2fb3767e96c573c27092e4

Rhadamanthys

dd6d8363c2761f77948a54be192dbbe563d2da9dd8f922102547631ccbd05ebb

Rhadamanthys

ecc38b2d94c70426a8c8ffb8d0414c048023731d37153f2ac50e62d966505143

Rhadamanthys

error

Rhadamanthys

+ 2'115 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

defense_evasion discovery

Link:

https://tria.ge/reports/251103-padd9sxles/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Program crash

System Location Discovery: System Language Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Checks BIOS information in registry

Identifies Wine through registry keys

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Malicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/6ef4be10-e042-4e7f-bf25-8c177a43d028

Unpacked files

SH256 hash:

ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

MD5 hash:

f52af822796c183cf9e2dccc91c48d59

SHA1 hash:

ece48a447ef6be44b15b2e4898ad666d6b711f08

Link:

https://www.unpac.me/results/24b53f8d-2e42-4817-a2f0-52b52002e88b/

SH256 hash:

84e9ab0d5e12300f745c939e45bbfe194cbaa9d0edc7fcd47060a1dbe0c2abab

MD5 hash:

51774246545ddae06ac0b30c31ce20dd

SHA1 hash:

36d45995f5c978849b868931293ca3f8504da19e

Link:

https://www.unpac.me/results/24b53f8d-2e42-4817-a2f0-52b52002e88b/

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/ee644c7f76e8/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

exe ee644c7f76e889ec485a542b3063eac856c9ebbce1c1246c910637621722f727

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/3687751/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/35146/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample