MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
SHA3-384 hash: 821cdda22fa6d9b04a47e7bea2a205de70ee928143167fc66f0a7fd51217e712c956606933ce479798a1a46f20748168
SHA1 hash: 04843a481250f50dab65dcadf55b3e5f5216f878
MD5 hash: 2c363054d9fd9c516b056f68d3c79bac
humanhash: salami-oven-lithium-freddie
File name:SecuriteInfo.com.Trojan.SuspectCRC.9076.14023
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:8'261'632 bytes
First seen:2025-11-01 02:16:31 UTC
Last seen:2025-11-01 03:15:45 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:jiubkYQGixjtnjDGtyN/bHP10fAvQI/SgkDSlEI1Wgm2a6CK:3XrwjtnjBN/rGodwm1WgSK
Threatray 68 similar samples on MalwareBazaar
TLSH T1C186332CEC620FF6C70595B388A2722441CACEC4622614FF3555B5294AF9FB35EDB728
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
FR FR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34930/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69056d8d706befaf4ecadb3d
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien amadey anti-debug expired-cert fingerprint installer installer wix
Link:
https://www.filescan.io/uploads/69056d88a3d163109524f2d7/reports/6a817d1f-51c5-4028-91c4-3a80185b6ac4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-30T13:04:00Z UTC
Last seen:
2025-10-31T00:50:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6/results?tab=lookup
Score:
8%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
Verdict:
Malware
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Corrupted Executable Office Document PDB Path PE (Portable Executable) PE File Layout PE Memory-Mapped (Dump)
Link:
https://app.malva.re/file/2c363054d9fd9c516b056f68d3c79bac
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=av5lpxf5an4g2i2fiphneosp4whs2djj2kvcrlmpoo3ye4gvyxta._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
2caa70d1b1c96ce8b1b4a8f85e4298f2b3f3fdba8ca3b9fa6d60ca561a1296b0
Rhadamanthys
356c86d7bd72fa4fcb23d2276e07a854d1b92a49b3b7752adb915720a1e2668f
Rhadamanthys
6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
Rhadamanthys
a8a4d5359e832c8d0c8068f84e94d373ada45e8f3590ba02931000bcf37d3b11
Rhadamanthys
aab194f10b0bf13879177d42e353d4f6e82dd61e530a26dd9b3727d31c0263af
Rhadamanthys
ad81b2f47eefcdce16dfa85d8d04f5f8b3b619ca31a14273da6773847347bec8
Rhadamanthys
da2d70296366c0de38701eb844e7ba52b6e7f7ee700c9854af05421fa75973e6
Rhadamanthys
df605aa20e6a2d09ceefd7db62e7ff24c6495007f5dc2a453e66a6dc8090b1d7
Rhadamanthys
e61a0c457a57eb941199d4461934f73a88db58ee64b74a28373f28c85d757c84
Rhadamanthys
error
Rhadamanthys
+ 58 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/251101-cqhmpsbq3y/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/057ab7dcbd03/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 057ab7dcbd03786d234543ced23a4fe58f2d0d29d2aa28ad8f73b78270d5c5e6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3691331/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/34930/

Comments