MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 15


Intelligence 15 IOCs YARA 17 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9
SHA3-384 hash: ac7e6750ebc3d279a2c2ed138251b64f31e4564cbbfeac7f11081385418957edb597ac091338e9b3001d3e7828c1964a
SHA1 hash: 56292778f90591c0fee29d524ca8eccb7b2de5c4
MD5 hash: 83ef11121057f015ea866d2240e223fc
humanhash: fourteen-don-connecticut-stairway
File name:kosdko0.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'291'496 bytes
First seen:2025-08-09 03:00:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d42595b695fc008ef2c56aabd8efd68e (112 x Vidar, 92 x Rhadamanthys, 46 x Stealc)
ssdeep 49152:2GxBXlIIemzC1aSIGm139CSK309A+5oZAJr:2N81cX309/9
TLSH T1CEB56A5ABCD28476D45E933749A291D1BA31FC191F3223E73E90BA3C2FBA6D06835750
TrID 44.4% (.EXE) Win64 Executable (generic) (10522/11/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
dhash icon d8e0d4f0f0b0d4c0 (4 x LummaStealer, 3 x Rhadamanthys, 1 x RiseProStealer)
Reporter aachum
Tags:192-30-242-210 exe Rhadamanthys


Avatar
iamaachum
https://github.com/fk29s/.dsx/raw/refs/heads/main/kosdko0.exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
ES ES
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
kosdko0.exe
Verdict:
Malicious activity
Analysis date:
2025-08-09 03:03:23 UTC
Tags:
lumma
Link:
https://app.any.run/tasks/e4d595f5-f89b-41c9-b473-83db1c22dba7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19825/
Verdict:
Malicious
Score:
99.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6896ba0e11d7f9b979e6cf45
Tags:
emotet spoof
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Unauthorized injection to a system process
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm expired-cert golang invalid-signature mingw obfuscated redcap signed threat
Link:
https://www.filescan.io/uploads/6896ba35397fd3ce6fa2ea7b/reports/5aeab066-0865-4133-9243-88915fd69341/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_60%
Link:
https://www.hybrid-analysis.com/sample/f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7f4008ae-5663-4a67-b6a7-3ba24105a2fe
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753528
Signature
Allocates memory in foreign processes
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Detected potential unwanted application
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Potentially malicious time measurement code found
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753528 Sample: kosdko0.exe Startdate: 09/08/2025 Architecture: WINDOWS Score: 100 57 twc.trafficmanager.net 2->57 59 time.windows.com 2->59 61 6 other IPs or domains 2->61 89 Multi AV Scanner detection for submitted file 2->89 91 Yara detected RHADAMANTHYS Stealer 2->91 93 Detected potential unwanted application 2->93 10 kosdko0.exe 2->10         started        13 msedge.exe 97 356 2->13         started        16 elevation_service.exe 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 103 Injects code into the Windows Explorer (explorer.exe) 10->103 105 Writes to foreign memory regions 10->105 107 Allocates memory in foreign processes 10->107 109 3 other signatures 10->109 20 explorer.exe 10->20         started        77 192.168.2.5, 123, 138, 443 unknown unknown 13->77 79 239.255.255.250 unknown Reserved 13->79 24 msedge.exe 13->24         started        26 msedge.exe 13->26         started        28 msedge.exe 13->28         started        30 msedge.exe 13->30         started        signatures6 process7 dnsIp8 63 192.30.242.210, 49695, 49726, 8888 INTELLIGENT-TECHNOLOGY-SOLUTIONSUS United States 20->63 95 System process connects to network (likely due to code injection or exploit) 20->95 97 Query firmware table information (likely to detect VMs) 20->97 99 Found many strings related to Crypto-Wallets (likely being stolen) 20->99 101 5 other signatures 20->101 32 dllhost.exe 6 20->32         started        36 WerFault.exe 2 20->36         started        65 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49721, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->65 67 ln-0007.ln-msedge.net 150.171.22.17, 443, 49714 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->67 69 9 other IPs or domains 24->69 signatures9 process10 dnsIp11 51 time-a-g.nist.gov 129.6.15.28, 123, 55260 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 32->51 53 ntp.time.nl 94.198.159.10, 123, 55260 SIDNNL Netherlands 32->53 55 5 other IPs or domains 32->55 81 Early bird code injection technique detected 32->81 83 Found many strings related to Crypto-Wallets (likely being stolen) 32->83 85 Tries to harvest and steal browser information (history, passwords, etc) 32->85 87 2 other signatures 32->87 38 chrome.exe 1 32->38         started        40 msedge.exe 14 32->40         started        42 chrome.exe 32->42         started        signatures12 process13 process14 44 chrome.exe 38->44         started        47 chrome.exe 38->47         started        49 msedge.exe 40->49         started        dnsIp15 71 googlehosted.l.googleusercontent.com 142.250.80.65, 443, 49705, 49706 GOOGLEUS United States 44->71 73 127.0.0.1 unknown unknown 44->73 75 clients2.googleusercontent.com 44->75
Score:
64%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9
Threat name:
Win64.Trojan.LummaStealer
Create hunting rule
Status:
Malicious
First seen:
2025-08-09 03:03:50 UTC
File Type:
PE+ (Exe)
Extracted files:
40
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6pqcqr3or25gwtjbbxixk6q7stbsbyxby4mu2x2ett473ma2jtuq._file
Result
Malware family:
n/a
Score:
  5/10
Tags:
discovery
Link:
https://tria.ge/reports/250809-dh7sasfr2s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/879c0b1e-1c4f-4c01-9ff5-e2ad5a44c477
Unpacked files
SH256 hash:
f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9
MD5 hash:
83ef11121057f015ea866d2240e223fc
SHA1 hash:
56292778f90591c0fee29d524ca8eccb7b2de5c4
Link:
https://www.unpac.me/results/215ec018-944c-4733-9bbf-85393d93c8e6/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f3e028476e8e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectGoMethodSignatures
Create hunting rule
Author:Wyatt Tauber
Description:Detects Go method signatures in unpacked Go binaries
Rule name:Detect_Go_GOMAXPROCS
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects Go binaries by the presence of runtime.GOMAXPROCS in the runtime metadata
Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:Golangmalware
Create hunting rule
Author:Dhanunjaya
Description:Malware in Golang
Rule name:golang_binary_string
Create hunting rule
Description:Golang strings present
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:golang_duffcopy_amd64
Create hunting rule
Rule name:HiveRansomware
Create hunting rule
Author:Dhanunjaya
Description:Yara Rule To Detect Hive V4 Ransomware
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:ProgramLanguage_Golang
Create hunting rule
Author:albertzsigovits
Description:Application written in Golang programming language
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Windows_Generic_MalCert_65514fe0
Create hunting rule
Author:Elastic Security

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

zip 295daf1a4f0b429a57a435f80acc6707a1cd33dbec9ba1be4d61772fc0adf3e0

Rhadamanthys

Executable exe f3e028476e8eba6b4d210dd1757a1f94c320e2e1c7194d5f449cf9fdb01a4ce9

(this sample)

  
Link
https://tria.ge/250809-dfg4vswnv6/behavioral2
  
Dropped by
SHA256 295daf1a4f0b429a57a435f80acc6707a1cd33dbec9ba1be4d61772fc0adf3e0
  
Delivery method
Distributed via web download
  
Dropped by
MD5 eaaf00e558a7dad74ff5e6f37099f044
Cape
Cape
https://www.capesandbox.com/analysis/19825/

Comments