MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8
SHA3-384 hash: 040bde5880cd280a74dfc9806e5bfb8d22d00dc88bd6aae9214e206e04bdfb64136c468a3247fb58ac21a9f1349cfb3b
SHA1 hash: 09754f852025af450bbf69fab397bae5107a8460
MD5 hash: 52aadb0982a986a6e9b7ba27a130cd57
humanhash: pip-black-hot-fourteen
File name:Celestia_Core3.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'143'232 bytes
First seen:2025-10-01 12:05:15 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:Z257o7olFqCazSIgkjVIxIP0WIqrkgEHx8WRSgDRLEyR:7VjV2IMWIqr89
TLSH T113A58C21BA8FC437C65E02B2E929EE5E543DBE730B6184D3B7E43D9A58348C15779A03
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
50
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29728/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68dd192740b7da0b4eb93595
Tags:
shellcode spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
cmd lolbin msiexec obfuscated remote threat wix
Link:
https://www.filescan.io/uploads/68dd197c74e5a289899c2cf4/reports/a813ad21-ab75-4599-bf09-30060860ddec/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
msi
Link:
https://opentip.kaspersky.com/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8/results?tab=lookup
Result
Threat name:
RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1787262
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Drops executables to the windows directory (C:\Windows) and starts them
Early bird code injection technique detected
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Potentially malicious time measurement code found
PowerShell case anomaly found
Powershell drops PE file
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Queues an APC in another process (thread injection)
Sigma detected: Potentially Suspicious Malware Callback Communication
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1787262 Sample: Celestia_Core3.msi Startdate: 01/10/2025 Architecture: WINDOWS Score: 100 86 zilmadradensell.space 2->86 88 zermion.com 2->88 90 10 other IPs or domains 2->90 126 Antivirus detection for URL or domain 2->126 128 Multi AV Scanner detection for dropped file 2->128 130 Yara detected RHADAMANTHYS Stealer 2->130 132 2 other signatures 2->132 11 powershell.exe 22 39 2->11         started        16 msiexec.exe 16 46 2->16         started        18 msiexec.exe 2 2->18         started        20 5 other processes 2->20 signatures3 process4 dnsIp5 110 zermion.com 104.21.50.79, 443, 49715, 49716 CLOUDFLARENETUS United States 11->110 70 C:\Users\user\AppData\Local\...\sqlite.dll, PE32 11->70 dropped 72 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 11->72 dropped 74 C:\Users\user\AppData\...\installerhelper.dll, PE32 11->74 dropped 82 4 other malicious files 11->82 dropped 156 Found many strings related to Crypto-Wallets (likely being stolen) 11->156 158 Loading BitLocker PowerShell Module 11->158 160 Powershell drops PE file 11->160 22 DB5Upgrade.exe 1 1004 11->22         started        27 conhost.exe 11->27         started        76 C:\Windows\Installer\MSIC6C3.tmp, PE32 16->76 dropped 78 C:\Windows\Installer\MSIC615.tmp, PE32 16->78 dropped 80 C:\Windows\Installer\MSIC5B6.tmp, PE32 16->80 dropped 84 8 other malicious files 16->84 dropped 162 Drops executables to the windows directory (C:\Windows) and starts them 16->162 164 PowerShell case anomaly found 16->164 29 msiexec.exe 16->29         started        31 MSIC6C3.tmp 16->31         started        33 msiexec.exe 16->33         started        35 conhost.exe 20->35         started        file6 signatures7 process8 dnsIp9 98 tintaricalycher.cfd 45.158.127.121, 443, 49721 UIIR United Kingdom 22->98 100 zilmadradensell.space 86.104.74.199, 443, 49725 TELE-ROM-ASstrAleeaPaciiBlB5Ap16RO Romania 22->100 102 2 other IPs or domains 22->102 62 C:\Users\user\AppData\Roaming\...\sqlite.dll, PE32 22->62 dropped 64 C:\Users\user\AppData\Roaming\...\nsExec.dll, PE32 22->64 dropped 66 C:\Users\user\AppData\...\installerhelper.dll, PE32 22->66 dropped 68 5 other malicious files 22->68 dropped 144 Writes to foreign memory regions 22->144 146 Allocates memory in foreign processes 22->146 148 Modifies the context of a thread in another process (thread injection) 22->148 150 Injects a PE file into a foreign processes 22->150 37 msiexec.exe 22->37         started        41 vtfbkfbklzjxecn.exe 22->41         started        43 msiexec.exe 1 22->43         started        45 conhost.exe 22->45         started        152 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 29->152 154 Switches to a custom stack to bypass stack traces 29->154 file10 signatures11 process12 dnsIp13 92 185.125.50.186, 49781, 49823, 8288 INPLATLABS-ASRU Russian Federation 37->92 134 Query firmware table information (likely to detect VMs) 37->134 136 Found many strings related to Crypto-Wallets (likely being stolen) 37->136 47 dllhost.exe 37->47         started        138 Multi AV Scanner detection for dropped file 41->138 140 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 41->140 142 Potentially malicious time measurement code found 41->142 94 85.208.84.115, 49726, 49730, 7777 PINDC-ASRU Russian Federation 43->94 96 www.ip-api.com 208.95.112.1, 49724, 49729, 80 TUT-ASUS United States 43->96 signatures14 process15 dnsIp16 112 time-a-g.nist.gov 129.6.15.28 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 47->112 114 ntp1.hetzner.de 213.239.239.164 HETZNER-ASDE Germany 47->114 116 4 other IPs or domains 47->116 118 Early bird code injection technique detected 47->118 120 Found many strings related to Crypto-Wallets (likely being stolen) 47->120 122 Tries to harvest and steal browser information (history, passwords, etc) 47->122 124 3 other signatures 47->124 51 chrome.exe 47->51         started        53 chrome.exe 47->53         started        55 wmlaunch.exe 47->55         started        signatures17 process18 process19 57 chrome.exe 51->57         started        60 chrome.exe 51->60         started        dnsIp20 104 192.168.2.4, 443, 49708, 49715 unknown unknown 57->104 106 googlehosted.l.googleusercontent.com 172.217.15.193, 443, 49810 GOOGLEUS United States 57->106 108 2 other IPs or domains 57->108
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8/
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-09-30 20:46:20 UTC
File Type:
Binary (Archive)
Extracted files:
42
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=axbyu46zutvapwnikgqv7vsjk44dli5uwytwdnfiweqthpm6rxua._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/251001-paebkaep4s/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Badlisted process makes network request
Detects Rhadamanthys Payload
Rhadamanthys
Rhadamanthys family
Malware Config
Dropper Extraction:
https://zermion.com/update/nsLib.zip
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9adfbbf-7239-4d2d-967a-c06c7178a0ac
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/05c38a73d9a4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/05c38a73d9a4ea07d9a851a15fd649573835a3b4b62761b4a8b12133bd9e8de8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/29728/

Comments