MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
SHA3-384 hash: a11126192127f601d9e7d2270a5f72dc98d7902bff38fac69e08435d4df9d70e2f5f88d8dc9c2acefd1047cc0fe7a3a0
SHA1 hash: 73043316c1cde7da0742b43fc8a5fb937b85e3b5
MD5 hash: 5e556b86c4b05f1553a35a310613450b
humanhash: louisiana-utah-ten-purple
File name:Adobe.Premiere.Pro.2025.v24.6.1.2.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:8'011'776 bytes
First seen:2025-09-08 06:23:18 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:VWzBoDM9lSCsMiFmvR2E9rHyyr7psCy9LQwHflzBVcJTS2J3Yvva8tZwVNLjtzMA:UqYxsMiFmvtH7pDyNlzaS2x2RZoitC
Threatray 293 similar samples on MalwareBazaar
TLSH T1998633A4D0C48E16EE6F85FF673A69B87AEFDE1783135807E0057450F7B0922E94A1C6
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26204/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68be1efc6e66ba602d78e8b5
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
alien expired-cert hijackloader installer threat wix
Link:
https://www.filescan.io/uploads/68be766ba64010de766f821a/reports/f8df1f41-242d-48c8-af82-fef24ff2c475/overview
Verdict:
Malicious
Labled as:
Malware.U.Generic
Link:
https://www.hybrid-analysis.com/sample/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-06T22:21:00Z UTC
Last seen:
2025-09-06T22:21:00Z UTC
Hits:
~100
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f/results?tab=lookup
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1772929
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1772929 Sample: Adobe.Premiere.Pro.2025.v24... Startdate: 08/09/2025 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 8 msiexec.exe 90 50 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 C:\Users\user\AppData\Roaming\...\quazip.dll, PE32 8->33 dropped 35 C:\Users\user\AppData\...\openvr_api.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 8->37 dropped 39 11 other malicious files 8->39 dropped 13 AgentSonic.exe 17 8->13         started        process5 file6 41 C:\ProgramData\Af_cli_dbg\AgentSonic.exe, PE32 13->41 dropped 43 C:\ProgramData\Af_cli_dbg\quazip.dll, PE32 13->43 dropped 45 C:\ProgramData\Af_cli_dbg\openvr_api.dll, PE32 13->45 dropped 47 11 other files (none is malicious) 13->47 dropped 71 Switches to a custom stack to bypass stack traces 13->71 73 Found direct / indirect Syscall (likely to bypass EDR) 13->73 17 AgentSonic.exe 7 13->17         started        signatures7 process8 file9 27 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 17->27 dropped 29 C:\Users\user\AppData\Local\...\9135BCE.tmp, PE32 17->29 dropped 31 C:\ProgramData\DyClient.exe, PE32 17->31 dropped 59 Found hidden mapped module (file has been removed from disk) 17->59 61 Maps a DLL or memory area into another process 17->61 63 Switches to a custom stack to bypass stack traces 17->63 65 Found direct / indirect Syscall (likely to bypass EDR) 17->65 21 DyClient.exe 17->21         started        25 Chime.exe 17->25         started        signatures10 process11 dnsIp12 49 194.33.61.182, 443, 49689, 49691 LEASEWEB-NL-AMS-01NetherlandsNL unknown 21->49 67 Switches to a custom stack to bypass stack traces 21->67 69 Found direct / indirect Syscall (likely to bypass EDR) 21->69 signatures13
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/5e556b86c4b05f1553a35a310613450b
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-09-07 00:22:53 UTC
File Type:
Binary (Archive)
Extracted files:
31
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvkir4al3nu4kb6dbdkimazekc5ze2iyaclgo45mygji6qdx5qpq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
1936ccd7cc0f18a24224533eab9a88c37130495143dc5599542cc4607650352b
Rhadamanthys
21410f2d5da769fab3f5c9d3d2f6aeec19d1f7b4d2a04e1370491aece6517a0a
Rhadamanthys
47767a97c828554f2092c5e2fc505e103ff42114cd75071fd69e16111037a83a
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
abf052189d7c4ecb828806ff3e559de0e4bd0ba5e69c01575a8f8217bf2868d6
Rhadamanthys
d589f5e5796f8113dedf1f2f7f48ff74b410ad26192264d22324267eedc2be3b
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
e06cea49c482dd0ddc55cab8fdf5a042540db352139475a8019768481ef152af
Rhadamanthys
error
Rhadamanthys
f553605fb8722472509ee1612fe24c835aec8d7a71d3554d59983f3524467725
Rhadamanthys
+ 283 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250908-g5n59atsf1/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/16229cde-ee26-4871-8cf8-5233e20d261d
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d5488f00bdb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2d5488f00bdb69c507c308d486032450bb92691800966773acc1928f4077ec1f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/26204/

Comments