MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Rhadamanthys

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346
SHA3-384 hash:	0d131c4e4bbf9da31172d07c2337ec47b8e4010e0a30bcd2c3a099a70c4fa234d3ccba6a6415297bcd2f0ca5718bfa29
SHA1 hash:	6eaf58497a9a73a4c3eb5dea54cf61fa17ada5a6
MD5 hash:	334f1c48a0ff9987fe3133258da91a82
humanhash:	apart-jig-delaware-cat
File name:	temopix.com.msi
Download:	download sample
Signature	Rhadamanthys Create hunting rule
File size:	13'209'600 bytes
First seen:	2025-08-20 08:07:43 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	393216:i2291Xa607bBNO79OiN9P9dpxsRQKZdmM:G87NNOZHPzpxsRQqm
TLSH	T181D6330018D57E39F294FB74695BF6A68AF74C581FA886BB2B4D30C19036D70B3352B6
TrID	88.4% (.MST) Windows SDK Setup Transform script (61000/1/5) 11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika	msi
Reporter	JAMESWT_WT
Tags:	ClickFix-Stealer msi Rhadamanthys signed temopix-com

Code Signing Certificate

Organisation:	Burnaware
Issuer:	Burnaware
Algorithm:	sha1WithRSAEncryption
Valid from:	2025-08-04T16:23:02Z
Valid to:	2026-08-04T22:23:02Z
Serial number:	6185c0bbb117b7b24bd52fccb9a45bff
Thumbprint Algorithm:	SHA256
Thumbprint:	cc86e9abaebce83d81703f92ef7af0d54645df2173e479f8bff7fbae10c7f62a
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22416/

Verdict:

Malicious

Score:

81.4%

Link:

https://cyber-fortress.com/docs/result/index.php?id=68a582818fd55a79c5295b54

Tags:

shellcode virus

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

expired-cert installer installer masquerade octowave signed stego

Link:

https://www.filescan.io/uploads/68a5827a419c816a6e8d32c2/reports/0f736176-55ff-4263-a04a-c0cd418a3c65/overview

Verdict:

Unknown

Link:

https://www.hybrid-analysis.com/sample/560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346

Score:

Verdict:

Benign

File Type:

Result

Malware family:

rhadamanthys

Score:

10/10

Tags:

family:rhadamanthys defense_evasion discovery persistence privilege_escalation ransomware stealer

Link:

https://tria.ge/reports/250820-j1rfxs1py4/

Behaviour

Checks SCSI registry key(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Event Triggered Execution: Installer Packages

Program crash

System Location Discovery: System Language Discovery

Drops file in Windows directory

Executes dropped EXE

Loads dropped DLL

Blocklisted process makes network request

Enumerates connected drives

Modifies trusted root certificate store through registry

Detects Rhadamanthys Payload

Rhadamanthys

Rhadamanthys family

Suspicious use of NtCreateUserProcessOtherParentProcess

Verdict:

Suspicious

Tags:

n/a

YARA:

n/a

Link:

https://app.threat.zone/submission/28c32cec-28d2-421e-9577-498a7f748db3

Malware family:

Rhadamanthys

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/560afd97f03f/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/560afd97f03f2ed11bf0087d551ae45f2046d6d52f0fa3d7c1df882981e8b346

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CP_AllMal_Detector Create hunting rule
Author:	DiegoAnalytics
Description:	CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

Rule name:	Octowave_Installer_03_2025 Create hunting rule
Author:	Jai Minton (@CyberRaiju) - HuntressLabs
Description:	Detects resources embedded within Octowave Loader MSI installers
Reference:	https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19

Rule name:	Sus_Obf_Enc_Spoof_Hide_PE Create hunting rule
Author:	XiAnzheng
Description:	Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

Rule name:	win_octowave_w0 Create hunting rule
Author:	Jai Minton (@CyberRaiju) - HuntressLabs
Description:	Detects resources embedded within Octowave Loader MSI installers
Reference:	https://x.com/CyberRaiju/status/1893450184224362946?t=u0X6ST2Qgnrf-ujjphGOSg&s=19

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/22416/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample