MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c
SHA3-384 hash: 412e0059461e5769b50329ae8a085e78026f6df2d19b4d4c7837e11495ca62f3c7f9f46e35211e2147d37f5c867d7159
SHA1 hash: 2b03448ff40e0fa1adad55f2bb7d2419c95fd093
MD5 hash: c52ec94cbcd78ed9756afb1dd27ffd93
humanhash: robert-cola-march-delta
File name:KmsSetup_v1.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:14'143'488 bytes
First seen:2025-08-06 19:17:14 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:Daik1iR8d1M9Hq/0zLCzyQ7T+N/MDJcA/47:Da31XdqIMcyQfBJ
Threatray 143 similar samples on MalwareBazaar
TLSH T10DE63321EB83A760E60EF5BCBA36057E5060AC5B934188E53C2E7C397436E774E52BC5
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder


Avatar
iamaachum
https://kmspico-download.celebritympg.com/ => https://app.box.com/shared/static/lewstso2w9wzgumme91ylms4drucbwzf.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
37
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19295/
Verdict:
Suspicious
Score:
50.0%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6893aa5c1e8a59ee04e69ec8
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug fingerprint installer wix
Link:
https://www.filescan.io/uploads/6893aa52397fd3ce6f9fa5c6/reports/910a1ea8-3f34-4719-b2f7-0c960bc090d3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1751641
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1751641 Sample: KmsSetup_v1.1.msi Startdate: 06/08/2025 Architecture: WINDOWS Score: 100 110 updatecheck34.activated.win 2->110 112 activated.win 2->112 120 Found malware configuration 2->120 122 Malicious sample detected (through community Yara rule) 2->122 124 Yara detected HijackLoader 2->124 126 2 other signatures 2->126 14 msiexec.exe 97 57 2->14         started        17 svchost.exe 1 1 2->17         started        20 msiexec.exe 3 2->20         started        signatures3 process4 dnsIp5 100 C:\Users\user\AppData\...\VorteCor64.exe, PE32 14->100 dropped 102 C:\Users\user\AppData\...\swresample-4.dll, PE32 14->102 dropped 104 C:\Users\user\AppData\...\sqlite3_plex.dll, PE32 14->104 dropped 106 18 other files (none is malicious) 14->106 dropped 22 VorteCor64.exe 24 14->22         started        108 127.0.0.1 unknown unknown 17->108 file6 process7 file8 84 C:\ProgramData\authHost\VorteCor64.exe, PE32 22->84 dropped 86 C:\ProgramData\authHost\swresample-4.dll, PE32 22->86 dropped 88 C:\ProgramData\authHost\sqlite3_plex.dll, PE32 22->88 dropped 90 18 other files (none is malicious) 22->90 dropped 136 Switches to a custom stack to bypass stack traces 22->136 138 Found direct / indirect Syscall (likely to bypass EDR) 22->138 26 VorteCor64.exe 23 22->26         started        signatures9 process10 file11 92 C:\Users\user\AppData\Roaming\...\444.bat, ASCII 26->92 dropped 94 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 26->94 dropped 96 api-ms-win-core-localization-l1-2-0.dll, PE32 26->96 dropped 98 15 other files (none is malicious) 26->98 dropped 144 Found hidden mapped module (file has been removed from disk) 26->144 146 Maps a DLL or memory area into another process 26->146 148 Switches to a custom stack to bypass stack traces 26->148 150 Found direct / indirect Syscall (likely to bypass EDR) 26->150 30 cmd.exe 1 26->30         started        signatures12 process13 process14 32 cmd.exe 1 30->32         started        34 conhost.exe 30->34         started        process15 36 cmd.exe 1 32->36         started        39 conhost.exe 32->39         started        signatures16 128 Uses ping.exe to sleep 36->128 130 Uses cmd line tools excessively to alter registry or file data 36->130 132 Uses ping.exe to check the status of other devices and networks 36->132 134 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 36->134 41 cmd.exe 36->41         started        44 cmd.exe 1 36->44         started        46 cmd.exe 1 36->46         started        48 17 other processes 36->48 process17 signatures18 140 Uses cmd line tools excessively to alter registry or file data 41->140 142 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 41->142 50 cmd.exe 41->50         started        53 cmd.exe 41->53         started        55 cmd.exe 41->55         started        67 22 other processes 41->67 57 cmd.exe 1 44->57         started        59 cmd.exe 1 44->59         started        61 powershell.exe 8 15 46->61         started        63 mode.com 1 48->63         started        65 conhost.exe 48->65         started        process19 signatures20 116 Uses ping.exe to sleep 50->116 69 PING.EXE 50->69         started        72 PING.EXE 53->72         started        118 Uses cmd line tools excessively to alter registry or file data 55->118 74 reg.exe 55->74         started        76 cmd.exe 67->76         started        78 cmd.exe 67->78         started        80 powershell.exe 67->80         started        82 mode.com 67->82         started        process21 dnsIp22 114 activated.win 104.21.24.156 CLOUDFLARENETUS United States 69->114
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-06 19:18:39 UTC
File Type:
Binary (Archive)
Extracted files:
35
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=deakql6msdhlnt5ensbwnjgzw4neodqnu3m7sw3f3prbuwkx62ga._file
Verdict:
malicious
Label(s):
admintool_xenarmor_paswordrecovery
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
2d81354ba7e8bc4ed2924d6ddc0fe386a44493972c8f064e786377ad1f5c3641
Rhadamanthys
3e299b0743fca7b231c17bc0748a8cef3739654f09bb2d8a0a33e3b2af7249c5
Rhadamanthys
4d9b00ede714843e43f64c9b0682ac1f408e33fe6502f611e48bfb4846fb8961
Rhadamanthys
545812664008d0b35cf61c15c79526b1d5d05aef886a3f85c9056570fbf13933
Rhadamanthys
59e08db1acf8f2f2d6f3ac2b3db7b46f2a77c92b7405ba43a970b44e4ead9e5c
Rhadamanthys
7c3df25808e764c61d9db2d4021d2e8d2f266b710bed35ce91e7384ded271faf
Rhadamanthys
c2ef3a333be62590a221d7e22b47f94218624f1456e6ca90ecce065aa02051ca
Rhadamanthys
c3142a633f9095751c1a2a0c926164d21fd88ed8d69660faebfa35fdd3446a65
Rhadamanthys
c47b4646e0a175ef2c06f53ad21a9f673f2781cb23502e9acc53ec813c4f4489
Rhadamanthys
e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
Rhadamanthys
error
Rhadamanthys
+ 133 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250806-xzm9rs11et/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/490c384e-263e-4dfa-9989-2755e3545711
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1900a82fcc90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 1900a82fcc90ceb6cfa46c8366a4d9b71a470e0da6d9f95b65dbe21a5957f68c

(this sample)

  
Link
https://tria.ge/250806-xp7wesvqx9/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19295/

Comments