MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 41 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
SHA3-384 hash: 2b4f5b600787fbe667d1c3db02f7ccd85d1ee1e8c6a773ffb570211118a8b727a36b9d96075e04fd873b6e4d05ea5d10
SHA1 hash: 1e313f040b6d0d24add1e60719504c5744a2e9fe
MD5 hash: 57428b091253989b0afe1245d618ce8e
humanhash: green-potato-steak-glucose
File name:f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:13'743'104 bytes
First seen:2025-05-09 11:23:00 UTC
Last seen:2025-05-09 12:42:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f052f84efefe84f64ac7fab273eb8464 (9 x LummaStealer, 2 x Stealc, 2 x RemcosRAT)
ssdeep 196608:rxBeco2jBtoqIh/tmJqdEKSq/1DzUQJEd6PCl9u81tSx0USapM7lxBj:9scfBJe/G6M+UHsCl9b1tPp
TLSH T135D601136691903EE5AA02718C5FAE6481A97D738B3181D7F690FE1D2DF05C2B633B27
TrID 86.0% (.AX) DirectShow filter (201555/2/20)
4.4% (.EXE) Win64 Executable (generic) (10522/11/4)
2.8% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
2.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
1.9% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 47b3070f1c32331d (1 x Vidar, 1 x Rhadamanthys)
Reporter adrian__luca
Tags:exe Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
461
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
Verdict:
Malicious activity
Analysis date:
2025-05-09 11:18:43 UTC
Tags:
rhadamanthys stealer shellcode
Link:
https://app.any.run/tasks/efae58f7-810f-4861-b90e-93a56255da50

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=681de6ba4a59e5a2ce03409c
Tags:
shellcode dropper virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Moving a file to the %temp% subdirectory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a window
Searching for synchronization primitives
Creating a file
Creating a process with a hidden window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Connection attempt
Unauthorized injection to a system process
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
adaptive-context explorer fingerprint lolbin microsoft_visual_cc msiexec overlay overlay packed packer_detected remote runonce
Link:
https://www.filescan.io/uploads/681de5ab0b64e174c41f90e9/reports/53a105e1-d3ba-4177-933d-9fb4e51a9b36/overview
Verdict:
Suspicious
Labled as:
Trojan[Dropper]/Genome
Link:
https://www.hybrid-analysis.com/sample/f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
Malware family:
ExamShield
Create hunting rule
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/bbd0584e-e08d-42cb-acc4-c360163f75f9
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1685292
Signature
C2 URLs / IPs found in malware configuration
Drops PE files with benign system names
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
PE file has nameless sections
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade debugger and weak emulator (self modifying code)
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1685292 Sample: kZP3ROsTva.exe Startdate: 09/05/2025 Architecture: WINDOWS Score: 100 57 Found malware configuration 2->57 59 Malicious sample detected (through community Yara rule) 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 7 other signatures 2->63 8 kZP3ROsTva.exe 29 2->8         started        process3 file4 39 C:\Users\user\AppData\...\kZP3ROsTva.exe, PE32 8->39 dropped 41 C:\Users\user\...\kZP3ROsTva.exe (copy), PE32 8->41 dropped 43 C:\Users\user\AppData\Local\...\setup.exe, PE32 8->43 dropped 45 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 8->45 dropped 11 kZP3ROsTva.exe 70 8->11         started        14 svchost.exe 8->14         started        process5 dnsIp6 47 C:\Users\user\AppData\...\Setup.exe (copy), PE32 11->47 dropped 49 C:\Users\user\AppData\Local\...\ISSetup.dll, PE32 11->49 dropped 51 C:\Users\user\...\vcruntime140.dll (copy), PE32 11->51 dropped 53 30 other files (none is malicious) 11->53 dropped 18 Setup.exe 20 11->18         started        22 ISBEW64.exe 11->22         started        24 ISBEW64.exe 11->24         started        26 4 other processes 11->26 55 89.110.95.20, 1301 RECONNRU Ukraine 14->55 75 System process connects to network (likely due to code injection or exploit) 14->75 77 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 14->77 79 Switches to a custom stack to bypass stack traces 14->79 file7 signatures8 process9 file10 31 C:\Users\user\AppData\Local\...\explorer.exe, PE32 18->31 dropped 33 C:\Users\user\AppData\Local\Temp\mnptbxvdo, PE32 18->33 dropped 35 C:\ProgramData\Btn\vcruntime140.dll, PE32 18->35 dropped 37 9 other files (none is malicious) 18->37 dropped 65 Injects code into the Windows Explorer (explorer.exe) 18->65 67 Tries to evade debugger and weak emulator (self modifying code) 18->67 69 Found hidden mapped module (file has been removed from disk) 18->69 71 4 other signatures 18->71 28 explorer.exe 1 18->28         started        signatures11 process12 signatures13 73 Switches to a custom stack to bypass stack traces 28->73
Score:
60%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e/
Threat name:
Win32.Downloader.Upatre
Create hunting rule
Status:
Malicious
First seen:
2025-05-09 11:23:28 UTC
File Type:
PE (Exe)
Extracted files:
226
AV detection:
14 of 24 (58.33%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6weizfl3kkeze3suuz475maoc7w2jj7jz25bfnj4kp7hpgsmpipa._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/250509-nhbpzadl6w/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks installed software on the system
Executes dropped EXE
Loads dropped DLL
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/836cfcef-983e-4cf8-ba83-c2c59c8840e4
Unpacked files
SH256 hash:
f5888c957b5289926e54a679feb00e17eda4a7e9ceba12b53c53fe779a4c7a1e
MD5 hash:
57428b091253989b0afe1245d618ce8e
SHA1 hash:
1e313f040b6d0d24add1e60719504c5744a2e9fe
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
0ad5139bfeaee9da3af9342ee408d734d05ba4f06fef194336c9b5fd3a8e380a
MD5 hash:
839b08f72defd70a3391e1de64110b21
SHA1 hash:
0e5850815bc4cca4c1bcdc2721a742dc41535a2b
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
405b0903e04909af7bde20a1d7a11fb7a0ba1bb65e2446850b705a4d5ce553f7
MD5 hash:
23f669ed8e8ab947fed01486fcf5acd0
SHA1 hash:
9fe6070b0dda3e5006c52e25349b48f6d05fb647
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
b77ac494c20606fc7a106ae1f582c082aa2347a4cf45b457e9c0ed2115890156
MD5 hash:
1482dcdbd84c4d508801a36663c8e529
SHA1 hash:
eff73b504963c0b7802ade0bdd8b73da935dc25f
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
e60d687f2625ed824348396ccae1b66eb2a8bcd4f656dbfc5bf14a73305439ae
MD5 hash:
775315e67e2093fc610d2797898c21e5
SHA1 hash:
472caea528962e41e6f25a30e6fdde9d17ec9e5f
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
fb914532af669f5bee2e3208ab59b1cca0fbcf85f0c3e0dc9678dc063fe5c2f4
MD5 hash:
b5d248175b7a1c7131e554430d50ddd6
SHA1 hash:
75e4a5dcf71ca0378ae63738a3bcd5e04a93e007
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
8c6fa15edf92d94401ffeab00a7cf8b4a390910de08f85a427739ba23802e38f
MD5 hash:
42b0a928cbef02e2b1826b8837b2404c
SHA1 hash:
8c17da088c5f8144fa85785595e15fb5b7fe0611
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
b6435b230493f986469bafe4bbadd3382fe13683b40c2445db48c04af52f74f8
MD5 hash:
d0f60769d24f03f2649a612e9e4726a4
SHA1 hash:
8ea04742eb5cb0c8c6a21e01f5d474342444be72
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
8c2cfd155e80ead3ed947e8615eab71351cafec1582812eb679239ddc6bba9a4
MD5 hash:
e7e19f9c420c23b969de758898b6e811
SHA1 hash:
c7c9d18a99bba4f852148c220998421ea2fbdbd3
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
5ff5bac0bd906e05dc37f867f167917bc91731ccfbdc6956b92a7954e6b0306a
MD5 hash:
84391655969c4586ca0a1a94b0e88f2d
SHA1 hash:
c87b16994d84e9c1cdd258de24f59846a509d479
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
5cec952da4f0dbd7e6d542ffea563d304d7adcc30281dbf1f7627781d91f58f5
MD5 hash:
09da8cdba7af13ea8417d94f645277b9
SHA1 hash:
d0fae17077aefc8a246df5a49bf54b3a9657d9eb
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
3b67252e1b63acf002cdf10481f64fc82833217536e233d9b37bc70a67ea3bcb
MD5 hash:
bf607102f272eadb7b816a61d401fd97
SHA1 hash:
f2deaa0ca1920ede8f2c302697b4f39f6377788a
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
00c414b5e08cee6980bf9e10f0cb85ccc69a8285a63519078f2e7a7da345fb50
MD5 hash:
e2105e3acf92695452fa9cd36564fd26
SHA1 hash:
2ecbe53cb2bd903c4e9cd5cd263eeb0b5feb8144
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
a6edb3fb6d21dd461da3767a7995034e208f7d6b08997f6cf7ee7b0ea833a8f0
MD5 hash:
cabb58bb5694f8b8269a73172c85b717
SHA1 hash:
9ed583c56385fed8e5e0757ddb2fdf025f96c807
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
SH256 hash:
68bee500e0080f21c003126e73b6d07804d23ac98b2376a8b76c26297d467abe
MD5 hash:
d4dae7149d6e4dab65ac554e55868e3b
SHA1 hash:
b3bea0a0a1f0a6f251bcf6a730a97acc933f269a
Link:
https://www.unpac.me/results/2639d852-7042-4d09-8ddc-412c75167fc4/
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/f5888c957b52/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BLOWFISH_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for Blowfish constants
Rule name:Check_OutputDebugStringA_iat
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:command_and_control
Create hunting rule
Author:CD_R0M_
Description:This rule searches for common strings found by malware using C2. Based on a sample used by a Ransomware group
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__GlobalFlags
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Active
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerHiding__Thread
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_PowerShell_Obfuscation
Create hunting rule
Author:daniyyell
Description:Detects obfuscated PowerShell commands commonly used in malicious scripts.
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_indirect_function_call_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:SHA512_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques
Rule name:WHIRLPOOL_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for WhirlPool constants
Rule name:win_rat_generic
Create hunting rule
Author:Reedus0
Description:Rule for detecting generic RAT malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
Reviews
IDCapabilitiesEvidence
AUTH_APIManipulates User AuthorizationADVAPI32.dll::AllocateAndInitializeSid
ADVAPI32.dll::CreateWellKnownSid
ADVAPI32.dll::EqualSid
ADVAPI32.dll::FreeSid
ADVAPI32.dll::SetEntriesInAclW
ADVAPI32.dll::InitializeSecurityDescriptor
COM_BASE_APICan Download & Execute componentsole32.dll::CoCreateInstance
ole32.dll::CoInitializeSecurity
ole32.dll::CreateStreamOnHGlobal
GDI_PLUS_APIInterfaces with Graphicsgdiplus.dll::GdiplusStartup
gdiplus.dll::GdipDeleteGraphics
gdiplus.dll::GdipAlloc
gdiplus.dll::GdipCreateFromHDC
RPC_APICan Execute Remote ProceduresRPCRT4.dll::RpcStringFreeW
SECURITY_BASE_APIUses Security Base APIADVAPI32.dll::AdjustTokenPrivileges
ADVAPI32.dll::GetTokenInformation
ADVAPI32.dll::SetSecurityDescriptorDacl
ADVAPI32.dll::SetSecurityDescriptorGroup
ADVAPI32.dll::SetSecurityDescriptorOwner
SHELL_APIManipulates System ShellSHELL32.dll::ShellExecuteExW
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CreateProcessW
KERNEL32.dll::OpenProcess
ADVAPI32.dll::OpenProcessToken
ADVAPI32.dll::OpenThreadToken
KERNEL32.dll::CloseHandle
KERNEL32.dll::CreateThread
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryA
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::LoadLibraryExA
KERNEL32.dll::GetSystemInfo
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleMode
KERNEL32.dll::GetConsoleCP
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CopyFileW
KERNEL32.dll::CreateDirectoryW
KERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileMappingW
KERNEL32.dll::DeleteFileW
KERNEL32.dll::MoveFileW
KERNEL32.dll::MoveFileExW
WIN_BASE_USER_APIRetrieves Account InformationADVAPI32.dll::LookupPrivilegeValueW
WIN_REG_APICan Manipulate Windows RegistryADVAPI32.dll::RegCreateKeyExW
ADVAPI32.dll::RegDeleteKeyW
ADVAPI32.dll::RegOpenKeyExW
ADVAPI32.dll::RegOpenKeyW
ADVAPI32.dll::RegQueryInfoKeyW
ADVAPI32.dll::RegQueryValueExW
WIN_USER_APIPerforms GUI ActionsUSER32.dll::FindWindowExW
USER32.dll::PeekMessageW
USER32.dll::CreateWindowExW

Comments