MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
SHA3-384 hash: 46cedda783312f7294e908ad75d6317a24ce464e24f3607f60fad1db0f4b21c568cce3e42766b76a9e902ed3b04c89ee
SHA1 hash: fc55f3f75d778c19db7bcc06cc1a214037dc54f7
MD5 hash: 9bc048a2120aad8c062792b08858ee58
humanhash: romeo-fish-timing-equal
File name:Report-Incident-ID202551-YouTube-Active.mp4.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'281'472 bytes
First seen:2025-04-10 18:16:33 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:zTysTfiHXA4cl0/bJMyE9czbr0qmB2tGC49Z8e:CHXDcGjlsJJVZ8
Threatray 90 similar samples on MalwareBazaar
TLSH T12CB5331FBE3582A1C0594EB836939978C4FEEE198F54C204B31DB6AC847F76252DA3D1
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:documents-cavradocuments-top msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1674/
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f80c0b1dba888a93cf7853
Tags:
virus spawn sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer masquerade wix
Link:
https://www.filescan.io/uploads/67f80b29b070fb3f9461f1fe/reports/14d5dc26-efb0-4bf9-986f-6471053c86d6/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1662357
Signature
.NET source code contains potential unpacker
Allocates memory in foreign processes
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks if the current machine is a virtual machine (disk enumeration)
Connects to many ports of the same IP (likely port scanning)
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1662357 Sample: Report-Incident-ID202551-Yo... Startdate: 10/04/2025 Architecture: WINDOWS Score: 100 127 twc.trafficmanager.net 2->127 129 time.windows.com 2->129 131 15 other IPs or domains 2->131 155 Suricata IDS alerts for network traffic 2->155 157 Found malware configuration 2->157 159 Malicious sample detected (through community Yara rule) 2->159 161 8 other signatures 2->161 12 msiexec.exe 82 44 2->12         started        15 AvastBrowserUpdate.exe 2->15         started        19 msedge.exe 2->19         started        21 8 other processes 2->21 signatures3 process4 dnsIp5 105 C:\Windows\Installer\MSI1AE2.tmp, PE32 12->105 dropped 107 C:\Users\user\AppData\...\WinSparkle.dll, PE32 12->107 dropped 109 C:\Users\user\...\VWSpotifyMusicConverter.exe, PE32 12->109 dropped 111 C:\Users\user\AppData\Local\Deal\DuiLib.dll, PE32 12->111 dropped 23 VWSpotifyMusicConverter.exe 6 12->23         started        27 msiexec.exe 12->27         started        149 ipv4.imgur.map.fastly.net 151.101.44.193 FASTLYUS United States 15->149 153 Switches to a custom stack to bypass stack traces 15->153 29 svchost.exe 15->29         started        151 239.255.255.250 unknown Reserved 19->151 31 msedge.exe 19->31         started        33 msedge.exe 19->33         started        35 msedge.exe 19->35         started        file6 signatures7 process8 file9 91 C:\Users\user\AppData\...\WinSparkle.dll, PE32 23->91 dropped 93 C:\Users\user\...\VWSpotifyMusicConverter.exe, PE32 23->93 dropped 95 C:\Users\user\AppData\Roaming\...\DuiLib.dll, PE32 23->95 dropped 175 Switches to a custom stack to bypass stack traces 23->175 177 Found direct / indirect Syscall (likely to bypass EDR) 23->177 37 VWSpotifyMusicConverter.exe 3 23->37         started        97 C:\Users\user\AppData\Local\...\msvcr100.dll, PE32 27->97 dropped 99 C:\Users\user\AppData\Local\...\msvcp100.dll, PE32 27->99 dropped 101 C:\Users\user\AppData\Local\...\mfc100u.dll, PE32 27->101 dropped 103 3 other malicious files 27->103 dropped 179 System process connects to network (likely due to code injection or exploit) 29->179 181 Query firmware table information (likely to detect VMs) 29->181 183 Checks if the current machine is a virtual machine (disk enumeration) 29->183 185 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->185 41 svchost.exe 29->41         started        signatures10 process11 dnsIp12 89 C:\Users\user\AppData\Local\Temp\dnnht, PE32 37->89 dropped 163 Found hidden mapped module (file has been removed from disk) 37->163 165 Maps a DLL or memory area into another process 37->165 167 Switches to a custom stack to bypass stack traces 37->167 169 Found direct / indirect Syscall (likely to bypass EDR) 37->169 44 svchost.exe 3 9 37->44         started        49 svchost.exe 37->49         started        51 cmd.exe 1 37->51         started        53 cmd.exe 1 37->53         started        135 ntp.time.nl 94.198.159.14 SIDNNL Netherlands 41->135 137 gbg1.ntp.netnod.se 194.58.203.20 NTP-SEAnycastedNTPservicesfromNetnodIXPsSE Sweden 41->137 139 2 other IPs or domains 41->139 171 Early bird code injection technique detected 41->171 173 Tries to harvest and steal browser information (history, passwords, etc) 41->173 55 msedge.exe 41->55         started        57 chrome.exe 41->57         started        59 chrome.exe 41->59         started        file13 signatures14 process15 dnsIp16 141 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 44->141 143 twc.trafficmanager.net 40.119.6.228 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 44->143 147 5 other IPs or domains 44->147 113 C:\Users\user\AppData\...\4rcQY9)ANV.exe, PE32+ 44->113 dropped 187 Benign windows process drops PE files 44->187 189 Early bird code injection technique detected 44->189 191 Maps a DLL or memory area into another process 44->191 193 Queues an APC in another process (thread injection) 44->193 61 wmprph.exe 44->61         started        65 4rcQY9)ANV.exe 44->65         started        68 chrome.exe 44->68         started        76 4 other processes 44->76 145 80.64.30.236, 1963, 49693, 49713 RU-KORUS-ASRU Russian Federation 49->145 195 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 49->195 197 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 49->197 199 Switches to a custom stack to bypass stack traces 49->199 70 conhost.exe 53->70         started        72 msedge.exe 55->72         started        74 chrome.exe 57->74         started        file17 signatures18 process19 dnsIp20 115 C:\Users\user\AppData\...\goopdate.dll, PE32 61->115 dropped 117 C:\Users\user\...\AvastBrowserUpdate.exe, PE32 61->117 dropped 201 Writes to foreign memory regions 61->201 203 Allocates memory in foreign processes 61->203 78 dllhost.exe 61->78         started        119 45.93.20.233 COGENT-174US Netherlands 65->119 80 WMIC.exe 65->80         started        82 chrome.exe 68->82         started        121 150.171.28.11 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 72->121 123 162.159.61.3 CLOUDFLARENETUS United States 72->123 125 chrome.cloudflare-dns.com 172.64.41.3 CLOUDFLARENETUS United States 72->125 85 msedge.exe 76->85         started        file21 signatures22 process23 dnsIp24 87 conhost.exe 80->87         started        133 127.0.0.1 unknown unknown 82->133 process25
Score:
25%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95/
Threat name:
Win32.Spyware.Rhadamanthys
Create hunting rule
Status:
Malicious
First seen:
2025-04-05 19:08:50 UTC
File Type:
Binary (Archive)
Extracted files:
42
AV detection:
15 of 38 (39.47%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=awjf63v6m5tkkzttgsvc6bfwkclmic74x6gk5wdybxim3ldmpwkq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
6c7e15d7bd35333dd0241649694ef9f8a85f9260d060fa4dab3cc50e16183ed8
Rhadamanthys
8651f126047222ca0273f9d0000681538a5847f7e4a45f62af497f934df014e1
Rhadamanthys
b537b24d31cd6cf9809827248309a7710461831149b695cacea56fa7f9b49d79
Rhadamanthys
c2f69012838072f60e8a0b07a0ad3498c029e58243deaf2bd21f450e46c9f6bd
Rhadamanthys
c40aa72fc9f9bc5c564da55eef71319d77402660f2d293f061d0ae8660e7cda9
Rhadamanthys
d44625181f7b3c8dd4e016b9b2751f48d8482cca938a2aa3bd5a70349c5a2380
Rhadamanthys
e0e0b3d2890053cbdf84d6c3177e267d8f767f4b2b6d6e5fb2de5860b0a09ee2
Rhadamanthys
e2f944cbcda22e6fd727f93514d11a7885f4bae6c6c5f33630e737b7c861907e
Rhadamanthys
ec7bee464dfecee9727881acf530a1b649be2036b716f0859910f938f2e577dd
Rhadamanthys
eff0fe608633857580c06b7371c6697a0488912b243b14f02d06b95374fb7707
Rhadamanthys
error
Rhadamanthys
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250410-ww5tzaypx7/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/071e5284-1212-4aad-9192-dfbf68b2815a
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05925f6ebe6766a5667334aa2f04b65096c40bfcbf8caed8780dd0cdac6c7d95

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1674/

Comments