MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 16


Intelligence 16 IOCs YARA 11 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
SHA3-384 hash: 85b40e3c5a9a40cb818bd20ee05b2aba51f7472463e4ba2a39796b06ad4b9ec2735c040284841ce701961a130abb093d
SHA1 hash: 782aac8be738814e5b8f5c4cb9de704df4b1ec2a
MD5 hash: 18df92826301d35ec512fc5234d20a33
humanhash: angel-four-xray-xray
File name:ala.exe
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:4'232'480 bytes
First seen:2025-08-28 06:34:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ff26bb14d4e19e4acf769fa08a4b854b (1 x Rhadamanthys)
ssdeep 98304:hEaW/X/3KuGFicSP4dXvSFbSN3C8JCS9viL/IZ5k:hG/KDFicq4tvS+NFtvMQnk
TLSH T14516F12D60C6D22DC373E679FCFBE7AA8CD7684629077A2D69D02B480665B007370DD6
TrID 52.9% (.EXE) Win32 Executable Delphi generic (14182/79/4)
16.8% (.EXE) Win32 Executable (generic) (4504/4/1)
7.7% (.EXE) Win16/32 Executable Delphi generic (2072/23)
7.5% (.EXE) OS/2 Executable (generic) (2029/13)
7.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter abuse_ch
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
SE SE
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ala.exe
Verdict:
Malicious activity
Analysis date:
2025-08-27 16:29:02 UTC
Tags:
anti-evasion rhadamanthys shellcode
Link:
https://app.any.run/tasks/0f0b393f-0d9a-4044-b7e9-a9eca3536704

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23978/
Verdict:
Malicious
Score:
97.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68aff8d3eb163e0ec182f441
Tags:
delphi cobalt emotet
Result
Verdict:
Malware
Maliciousness:

Behaviour
Сreating synchronization primitives
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Reading critical registry keys
Searching for the window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Unauthorized injection to a system process
Stealing user critical data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context anti-debug base64 borland_delphi expired-cert fingerprint invalid-signature keylogger packed signed threat
Link:
https://www.filescan.io/uploads/68aff8cc1c81c34281d640bb/reports/bed3c8d7-8895-4bc1-a528-2d0384998496/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Verdict:
Malicious
File Type:
exe x32
First seen:
2025-08-27T14:40:00Z UTC
Last seen:
2025-08-27T14:40:00Z UTC
Hits:
~10
Detections:
PDM:Trojan.Win32.Generic HEUR:Trojan.Win32.Inject.gen
Link:
https://opentip.kaspersky.com/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725/results?tab=lookup
Malware family:
RealVNC
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/0e07de61-239e-43b9-9667-52908ae6e54e
Result
Threat name:
CryptOne, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1766808
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Early bird code injection technique detected
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected CryptOne packer
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1766808 Sample: ala.exe Startdate: 28/08/2025 Architecture: WINDOWS Score: 100 50 ts1.aco.net 2->50 52 time.google.com 2->52 54 4 other IPs or domains 2->54 74 Found malware configuration 2->74 76 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 3 other signatures 2->80 11 ala.exe 2 2->11         started        15 elevation_service.exe 2->15         started        17 elevation_service.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 file5 46 C:\Users\user\AppData\...\svchost015.exe, PE32 11->46 dropped 48 C:\Users\user\AppData\Local\...\svcF204.tmp, PE32 11->48 dropped 86 Writes to foreign memory regions 11->86 88 Found hidden mapped module (file has been removed from disk) 11->88 90 Maps a DLL or memory area into another process 11->90 21 svchost015.exe 11->21         started        signatures6 process7 signatures8 82 Switches to a custom stack to bypass stack traces 21->82 24 OpenWith.exe 21->24         started        process9 dnsIp10 56 45.156.87.119, 34433, 46888, 49721 SKYLINKNL Germany 24->56 84 Switches to a custom stack to bypass stack traces 24->84 28 dllhost.exe 3 24->28         started        signatures11 process12 dnsIp13 64 time-a-g.nist.gov 129.6.15.28, 123, 53949 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 28->64 66 ntp.time.nl 94.198.159.10, 123, 53949 SIDNNL Netherlands 28->66 68 5 other IPs or domains 28->68 92 Early bird code injection technique detected 28->92 94 Tries to harvest and steal browser information (history, passwords, etc) 28->94 96 Maps a DLL or memory area into another process 28->96 98 Queues an APC in another process (thread injection) 28->98 32 wmplayer.exe 28->32         started        35 chrome.exe 1 28->35         started        37 chrome.exe 28->37         started        signatures14 process15 signatures16 70 Writes to foreign memory regions 32->70 72 Allocates memory in foreign processes 32->72 39 dllhost.exe 32->39         started        41 chrome.exe 35->41         started        44 chrome.exe 35->44         started        process17 dnsIp18 58 googlehosted.l.googleusercontent.com 142.251.35.161, 443, 49732 GOOGLEUS United States 41->58 60 127.0.0.1 unknown unknown 41->60 62 3 other IPs or domains 41->62
Score:
95%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-08-27 16:29:03 UTC
File Type:
PE (Exe)
Extracted files:
40
AV detection:
24 of 38 (63.16%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6vjwax5yoisheue64fqs7ysmqnnozdl2ohjvktkzta7tkjcgo4sq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery stealer
Link:
https://tria.ge/reports/250828-hcteyayvf1/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Executes dropped EXE
Loads dropped DLL
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ede74bd2-a47e-4626-9e4f-40b9cd41556a
Unpacked files
SH256 hash:
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
MD5 hash:
18df92826301d35ec512fc5234d20a33
SHA1 hash:
782aac8be738814e5b8f5c4cb9de704df4b1ec2a
Link:
https://www.unpac.me/results/6727c519-e964-4dc4-b8e9-5f45a61155a1/
SH256 hash:
776dfba7fc88bf0d8a37c468350118dc9c6a91a953d1add1d40b42255d90395c
MD5 hash:
33a4dbd11d7e7ab6abed71960d290969
SHA1 hash:
ed01ead2a78992d49972c16b0423a4021eeb3488
Link:
https://www.unpac.me/results/6727c519-e964-4dc4-b8e9-5f45a61155a1/
SH256 hash:
0a0b083cc0e62db594b7be21088202c7fe0970d609b2847085d0bf2be8e54a5c
MD5 hash:
4ce3ce196eda86d92b68362b6269b618
SHA1 hash:
fd42ee0aca0315acac25c297f1ce33634c549559
Link:
https://www.unpac.me/results/6727c519-e964-4dc4-b8e9-5f45a61155a1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BobSoftMiniDelphiBoBBobSoft
Create hunting rule
Author:malware-lu
Rule name:Borland
Create hunting rule
Author:malware-lu
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/23978/

Comments