File name:	3ba293fb08e6a24ed05909ff2079c932844dc48cdf4a97854ee6eb25c64d7f7b.exe
Full analysis:	https://app.any.run/tasks/38511604-3c5d-4a08-af84-e4e6e09736bd
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 03, 2025, 17:56:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	rhadamanthys stealer golang loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (console) x86-64, for MS Windows, 15 sections
MD5:	75AE41757E77956D997C3A6ACA0A4D40
SHA1:	91C4DF8E75FA8240BC76D61AF5BC08437E81D31A
SHA256:	3BA293FB08E6A24ED05909FF2079C932844DC48CDF4A97854EE6EB25C64D7F7B
SSDEEP:	98304:uDQs0mUPddofvw95mKdSM+iFVaOhclT0d8LGaTZLPnrnSBZnHZSCXTZjh3EmBPsY:NguLL

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	0000:00:00 00:00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	3
CodeSize:	2630144
InitializedDataSize:	305152
UninitializedDataSize:	-
EntryPoint:	0x77620
OSVersion:	6.1
ImageVersion:	1
SubsystemVersion:	6.1
Subsystem:	Windows command line

PID	Process	Filename		Type
1508	3ba293fb08e6a24ed05909ff2079c932844dc48cdf4a97854ee6eb25c64d7f7b.exe	C:\Users\admin\Desktop\rhad.exe		executable
		MD5:24D8BCD9CF44A3F4B0414A45AE54B6E1	SHA256:46F321612D2ABE844BDC16BF960F2808D677A3684F406ABB886A6E0A60F2EE06

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1040	RUXIMICS.exe	GET	200	23.216.77.6:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	DE	binary	825 b	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
1040	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	NL	binary	814 b	whitelisted
—	—	POST	200	20.190.160.5:443	https://login.live.com/RST2.srf	US	xml	1.24 Kb	unknown
—	—	POST	400	20.190.160.17:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
—	—	POST	400	20.190.160.64:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
—	—	POST	400	40.126.32.134:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown
—	—	POST	400	20.190.160.67:443	https://login.live.com/ppsecure/deviceaddcredential.srf	US	text	203 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1040	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1268	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
984	curl.exe	194.26.192.94:7777	—	1337 Services GmbH	NL	unknown
1268	svchost.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1040	RUXIMICS.exe	23.216.77.6:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	172.217.18.14	whitelisted
crl.microsoft.com	23.216.77.6 23.216.77.28 2.18.244.211 2.18.244.223	whitelisted
www.microsoft.com	95.101.149.131 23.200.213.221	whitelisted
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
login.live.com	20.190.159.128 20.190.159.2 20.190.159.23 20.190.159.71 40.126.31.128 20.190.159.130 20.190.159.73 20.190.159.131	whitelisted
client.wns.windows.com	172.211.123.250	whitelisted
slscr.update.microsoft.com	135.233.95.144	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
files.catbox.moe	108.181.20.35	malicious
self.events.data.microsoft.com	20.189.173.26	whitelisted

PID	Process	Class	Message
984	curl.exe	Malware Command and Control Activity Detected	MALWARE [ANY.RUN] Rhadamanthys Stealer CnC related IP address
1508	3ba293fb08e6a24ed05909ff2079c932844dc48cdf4a97854ee6eb25c64d7f7b.exe	Potentially Bad Traffic	ET INFO Observed File Sharing Service Download Domain (files .catbox .moe in TLS SNI)
—	—	Misc activity	ET USER_AGENTS Go HTTP Client User-Agent
—	—	Misc activity	ET INFO Go-http-client User-Agent Observed Outbound
—	—	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

General Info

3ba293fb08e6a24ed05909ff2079c932844dc48cdf4a97854ee6eb25c64d7f7b.exe

75AE41757E77956D997C3A6ACA0A4D40

91C4DF8E75FA8240BC76D61AF5BC08437E81D31A

3BA293FB08E6A24ED05909FF2079C932844DC48CDF4A97854EE6EB25C64D7F7B

98304:uDQs0mUPddofvw95mKdSM+iFVaOhclT0d8LGaTZLPnrnSBZnHZSCXTZjh3EmBPsY:NguLL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Connects to the CnC server

RHADAMANTHYS has been detected (SURICATA)

SUSPICIOUS

Starts CMD.EXE for commands execution

Connects to unusual port

Contacting a server suspected of hosting an CnC

Executable content was dropped or overwritten

INFO

Checks supported languages

Execution of CURL command

Drops encrypted JS script (Microsoft Script Encoder)

Application based on Golang

Detects GO elliptic curve encryption (YARA)

Reads the machine GUID from the registry

Reads the computer name

The sample compiled with english language support

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings