MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 11

Intelligence 11 IOCs YARA 4 File information Comments

SHA256 hash:	4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2
SHA3-384 hash:	9d571c1f68afa2bafeb0e9aeb6653642667bc663c7475aaea7dcd13b34fa394a2513525c8c716b6e5b8c3368dc2de62f
SHA1 hash:	0d05edd068cf21eb265a43e4800ed967fb7b9650
MD5 hash:	53943aac4c795998dee63eadcf52fb4a
humanhash:	summer-lactose-kentucky-california
File name:	shields.msi
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	10'981'376 bytes
First seen:	2025-08-04 19:11:38 UTC
Last seen:	2025-08-20 08:04:48 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:i22ik1oMYsaKNDllYcnDuKxpQv8yJE7lcGSm7yLypRhouzuEHCp:i2291XaClu4Qofb7mZ4
TLSH	T19AB63381FDC04E24C7076F34EA85C7B89AE98C76373859633A9430DB9970F74DB69229
TrID	88.4% (.MST) Windows SDK Setup Transform script (61000/1/5) 11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	abuse_ch
Tags:	84-200-80-8 ClickFix-Stealer loanauto-cloud msi Rhadamanthys signed

Code Signing Certificate

Organisation:	MediaHuman
Issuer:	MediaHuman
Algorithm:	sha1WithRSAEncryption
Valid from:	2025-08-01T16:25:18Z
Valid to:	2026-08-01T22:25:18Z
Serial number:	36d2e3ce7e4041b142a7f5bd7886dc66
Thumbprint Algorithm:	SHA256
Thumbprint:	26ffc7cb26534a16a17eb6080d74b60f1c295cb31ecca85cd0ff3c1312436eeb
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/18870/

Verdict:

Clean

Score:

99.9%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68907a85af3050dc8d341cdc

Tags:

n/a

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

expired-cert installer installer octowave signed stego

Link:

https://www.filescan.io/uploads/6891061c73b8ef6f4afe7f14/reports/121c2381-de60-449d-a9ab-51f3e7bb0670/overview

Verdict:

Malicious

Labled as:

Malware.U.Rhadamanthys

Link:

https://www.hybrid-analysis.com/sample/4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2

Score:

10%

Verdict:

Benign

File Type:

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys discovery persistence privilege_escalation ransomware stealer

Link:

https://tria.ge/reports/250804-xwqwgstxc1/

Behaviour

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Event Triggered Execution: Installer Packages

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/0a424fab-7ce5-4be3-8804-0408da682df1

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/4c9df28e6b80/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4c9df28e6b802ebe9e40f8fe34d2014b1fe524c64f7c8bd013f163c4daa794b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Octowave_Installer_03_2025 Create hunting rule
Author:	Jai Minton (@CyberRaiju) - HuntressLabs
Description:	Detects resources embedded within Octowave Loader MSI installers
Reference:	https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_octowave_w0 Create hunting rule
Author:	Jai Minton (@CyberRaiju) - HuntressLabs
Description:	Detects resources embedded within Octowave Loader MSI installers
Reference:	https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/18870/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample