File name:	38dca92c5403153f11432de81da14c1e28300bc90b908d107c66afaba2ebf009.exe
Full analysis:	https://app.any.run/tasks/52c40518-e8a2-432e-829d-50836eb7d896
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 03, 2025, 17:53:48
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rhadamanthys stealer golang loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 15 sections
MD5:	20E11084444116FAA56D4632DF49A179
SHA1:	9E8A3A075934A923FF1D0817B95589CC11ECBA3E
SHA256:	38DCA92C5403153F11432DE81DA14C1E28300BC90B908D107C66AFABA2EBF009
SSDEEP:	98304:uDQs0mUPddofvw95mKdSM+iFVaOhclT0d8LGaTZLPnrnSBZnHZSCXTZjh3EmBPsr:NguLI

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2630144
InitializedDataSize:	305152
UninitializedDataSize:	-
EntryPoint:	0x77620
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line

PID	Process	Filename		Type
4320	38dca92c5403153f11432de81da14c1e28300bc90b908d107c66afaba2ebf009.exe	C:\Users\admin\Desktop\rhad.exe		executable
		MD5:81606826D17745BFB2F19747C2D639B7	SHA256:FB66A102713120188018C21937F5B287C8BC089143A44D541C66F2BD221DE23B

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.18.244.223:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.18.244.223:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.200.213.221:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7064	RUXIMICS.exe	GET	200	2.18.244.223:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	23.200.213.221:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7064	RUXIMICS.exe	GET	200	23.200.213.221:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	108.181.20.35:443	https://files.catbox.moe/yn6snc	unknown	executable	423 Kb	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	unknown
—	—	POST	500	20.83.72.98:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7064	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6764	curl.exe	194.26.192.94:7777	—	1337 Services GmbH	NL	unknown
1268	svchost.exe	2.18.244.223:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
5944	MoUsoCoreWorker.exe	2.18.244.223:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
7064	RUXIMICS.exe	2.18.244.223:80	crl.microsoft.com	Akamai International B.V.	FR	whitelisted
1268	svchost.exe	23.200.213.221:80	www.microsoft.com	AKAMAI-AS	FR	whitelisted

Domain	IP	Reputation
google.com	172.217.23.110	whitelisted
crl.microsoft.com	2.18.244.223 2.18.244.211	whitelisted
www.microsoft.com	23.200.213.221	whitelisted
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
files.catbox.moe	108.181.20.35	malicious
self.events.data.microsoft.com	20.42.65.84	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98 4.255.142.105	whitelisted

PID	Process	Class	Message
6764	curl.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Rhadamanthys Stealer CnC related IP address
4320	38dca92c5403153f11432de81da14c1e28300bc90b908d107c66afaba2ebf009.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

General Info

38dca92c5403153f11432de81da14c1e28300bc90b908d107c66afaba2ebf009.exe

20E11084444116FAA56D4632DF49A179

9E8A3A075934A923FF1D0817B95589CC11ECBA3E

38DCA92C5403153F11432DE81DA14C1E28300BC90B908D107C66AFABA2EBF009

98304:uDQs0mUPddofvw95mKdSM+iFVaOhclT0d8LGaTZLPnrnSBZnHZSCXTZjh3EmBPsr:NguLI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

RHADAMANTHYS has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Starts CMD.EXE for commands execution

Connects to unusual port

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

INFO

Checks supported languages

Execution of CURL command

Drops encrypted JS script (Microsoft Script Encoder)

Detects GO elliptic curve encryption (YARA)

Application based on Golang

Reads the computer name

Reads the machine GUID from the registry

Reads the software policy settings

The sample compiled with english language support

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings