MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
SHA3-384 hash: aa042ee494c6b3c34f7e73203e0827f18419898ec3daed97d5101e3eae13dfce7ab52b3fbfdd19143875932e4d1d3e42
SHA1 hash: 8e5cae1cffd22729faacc5deff11b469f0bbb96c
MD5 hash: d321f220753af4488080b32fa7ae03fd
humanhash: eight-network-oscar-carolina
File name:heki.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'944'448 bytes
First seen:2025-04-10 18:16:53 UTC
Last seen:2025-04-12 02:38:19 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:AXN4t7ieVidr2n9eYjW1Jjt1hbRCKcUZe7Cu/pLwcTD:wN4ttido7jz3U87t/
Threatray 434 similar samples on MalwareBazaar
TLSH T1C60633E167C3C7A7D287CAF549AA91D1D284DD610F1BF423A873BA0E2CB07E56D6042D
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:documents-cavradocuments-top msi Rhadamanthys

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1676/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f80c09d6e7c3effacf3997
Tags:
n/a
Verdict:
Suspicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662355
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662355 Sample: heki.msi Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 122 x.ns.gin.ntt.net 2->122 124 twc.trafficmanager.net 2->124 126 16 other IPs or domains 2->126 154 Suricata IDS alerts for network traffic 2->154 156 Found malware configuration 2->156 158 Malicious sample detected (through community Yara rule) 2->158 160 7 other signatures 2->160 12 msiexec.exe 85 47 2->12         started        15 AvastBrowserUpdate.exe 2->15         started        19 msedge.exe 2->19         started        21 9 other processes 2->21 signatures3 process4 dnsIp5 106 C:\Windows\Installer\MSI160B.tmp, PE32 12->106 dropped 108 C:\Users\user\AppData\...\CamMenuMaker.exe, PE32 12->108 dropped 110 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 12->110 dropped 112 4 other files (none is malicious) 12->112 dropped 23 CamMenuMaker.exe 9 12->23         started        27 msiexec.exe 12->27         started        142 ipv4.imgur.map.fastly.net 151.101.44.193 FASTLYUS United States 15->142 152 Switches to a custom stack to bypass stack traces 15->152 29 svchost.exe 15->29         started        144 239.255.255.250 unknown Reserved 19->144 31 msedge.exe 19->31         started        34 msedge.exe 19->34         started        36 msedge.exe 19->36         started        file6 signatures7 process8 dnsIp9 90 C:\Users\user\AppData\...\msvcr100.dll, PE32 23->90 dropped 92 C:\Users\user\AppData\...\msvcp100.dll, PE32 23->92 dropped 94 C:\Users\user\AppData\Roaming\...\mfc100u.dll, PE32 23->94 dropped 102 3 other malicious files 23->102 dropped 174 Switches to a custom stack to bypass stack traces 23->174 176 Found direct / indirect Syscall (likely to bypass EDR) 23->176 38 CamMenuMaker.exe 3 23->38         started        96 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 27->96 dropped 98 C:\Users\user\AppData\Local\...\msvcp100.dll, PE32 27->98 dropped 100 C:\Users\user\AppData\Local\...\mfc100u.dll, PE32 27->100 dropped 104 3 other files (none is malicious) 27->104 dropped 178 System process connects to network (likely due to code injection or exploit) 29->178 180 Query firmware table information (likely to detect VMs) 29->180 182 Checks if the current machine is a virtual machine (disk enumeration) 29->182 184 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->184 42 svchost.exe 29->42         started        146 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49709 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->146 148 ax-0002.ax-msedge.net 150.171.28.11, 443, 49708 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->148 file10 signatures11 process12 dnsIp13 86 C:\Users\user\AppData\Local\Temp\xuef, PE32 38->86 dropped 162 Found hidden mapped module (file has been removed from disk) 38->162 164 Maps a DLL or memory area into another process 38->164 166 Switches to a custom stack to bypass stack traces 38->166 168 Found direct / indirect Syscall (likely to bypass EDR) 38->168 45 svchost.exe 9 38->45         started        50 svchost.exe 38->50         started        52 cmd.exe 1 38->52         started        54 cmd.exe 1 38->54         started        128 ntp.time.nl 94.198.159.14 SIDNNL Netherlands 42->128 130 ntp1.hetzner.de 213.239.239.164 HETZNER-ASDE Germany 42->130 132 time.facebook.com 129.134.26.123 FACEBOOKUS United States 42->132 88 C:\Users\user\AppData\Local\...\aX-h95.exe, PE32+ 42->88 dropped 170 Early bird code injection technique detected 42->170 172 Tries to harvest and steal browser information (history, passwords, etc) 42->172 56 chrome.exe 42->56         started        58 chrome.exe 42->58         started        file14 signatures15 process16 dnsIp17 134 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 45->134 136 ntp1.net.berkeley.edu 169.229.128.134 UCBUS United States 45->136 140 7 other IPs or domains 45->140 118 C:\Users\user\AppData\Local\...\e(4Ce3]kO.exe, PE32+ 45->118 dropped 190 Benign windows process drops PE files 45->190 192 Early bird code injection technique detected 45->192 194 Found many strings related to Crypto-Wallets (likely being stolen) 45->194 200 2 other signatures 45->200 60 wmlaunch.exe 45->60         started        64 e(4Ce3]kO.exe 45->64         started        67 chrome.exe 45->67         started        73 3 other processes 45->73 138 80.64.30.236, 1963, 49687, 49710 RU-KORUS-ASRU Russian Federation 50->138 196 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 50->196 198 Switches to a custom stack to bypass stack traces 50->198 69 conhost.exe 54->69         started        71 chrome.exe 56->71         started        file18 signatures19 process20 dnsIp21 114 C:\Users\user\AppData\...\goopdate.dll, PE32 60->114 dropped 116 C:\Users\user\...\AvastBrowserUpdate.exe, PE32 60->116 dropped 186 Writes to foreign memory regions 60->186 188 Allocates memory in foreign processes 60->188 75 dllhost.exe 60->75         started        120 45.93.20.233 COGENT-174US Netherlands 64->120 77 WMIC.exe 64->77         started        79 chrome.exe 67->79         started        82 msedge.exe 73->82         started        file22 signatures23 process24 dnsIp25 84 conhost.exe 77->84         started        150 127.0.0.1 unknown unknown 79->150 process26
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atv4o6ff6r5ucpmg5y3xw7mwnoj3zkdna3rtlex3bfuyvhd3wfta._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Rhadamanthys
19046933e161b5826c63e8c2c5d13da9329bb5cc9c75aa35ead1458b27e5634c
Rhadamanthys
6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
Rhadamanthys
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1
Rhadamanthys
b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Rhadamanthys
c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
Rhadamanthys
d44625181f7b3c8dd4e016b9b2751f48d8482cca938a2aa3bd5a70349c5a2380
Rhadamanthys
e0e0b3d2890053cbdf84d6c3177e267d8f767f4b2b6d6e5fb2de5860b0a09ee2
Rhadamanthys
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Rhadamanthys
eff0fe608633857580c06b7371c6697a0488912b243b14f02d06b95374fb7707
Rhadamanthys
error
Rhadamanthys
+ 424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250410-ww55qsy1dv/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/eb52ba43-b497-4c73-8f04-8846a25554be
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/04ebc778a5f4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 04ebc778a5f47b413d86ee377b7d966b93bca86d06e33592fb09698a9c7bb166

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/1676/
  
URLhaus
https://urlhaus.abuse.ch/url/3507001/
  
Delivery method
Distributed via web download

Comments