MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a
SHA3-384 hash: e791fd323dbce2a75e2bf3458d8577eb461970ba604f35031dcf8c6e59ce84ca3cc52cbf84809283b28568f6833b9eda
SHA1 hash: c471d1fba01849aa37bd587613246f1b6c0bb62e
MD5 hash: 8f6e7e5f41552fdeef42a6da33ebaf48
humanhash: kilo-floor-virginia-harry
File name:5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:36'790'272 bytes
First seen:2024-11-25 14:07:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:cSiMGixH0zs+RFAsCOLTXbr071UEesdqDc+fEv6vh:3b/HGs+KoTXbrE1WLMIh
TLSH T1FC8733EEE4FC7E3AE2C41638492AC56D02E2DC5273768BC92821F2E05F7558547FA364
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:msi Rhadamanthys signed Software Support ApS

Code Signing Certificate

Organisation:Software Support ApS
Issuer:Entrust Extended Validation Code Signing CA - EVCS2
Algorithm:sha256WithRSAEncryption
Valid from:2024-11-08T23:30:35Z
Valid to:2025-11-08T23:30:34Z
Serial number: 89c86b25cf2c8c026201599cd211f002
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: cf5a683d005226fb6522de301e8e50a6e03b6c12f7a04f045bb2f151515189a5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
94.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674484cfb31374f098344b69
Tags:
vmdetect
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
fingerprint installer wix
Link:
https://www.filescan.io/uploads/674484d3fcae1d619b4ec0fb/reports/778a8755-ddfe-4aaf-80d2-3a2595c7e18b/overview
Verdict:
Suspicious
Labled as:
Generik.GJXVIE trojan
Link:
https://www.hybrid-analysis.com/sample/5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1562405
Signature
AI detected suspicious sample
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found pyInstaller with non standard icon
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1562405 Sample: 5gzbR4Yqta.msi Startdate: 25/11/2024 Architecture: WINDOWS Score: 96 67 Antivirus detection for dropped file 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Machine Learning detection for dropped file 2->71 73 AI detected suspicious sample 2->73 9 msiexec.exe 83 43 2->9         started        12 msiexec.exe 3 2->12         started        process3 file4 51 C:\Users\user\AppData\...\highgui099.dll, PE32 9->51 dropped 53 C:\Users\user\AppData\...\cximagecrt.dll, PE32 9->53 dropped 55 C:\Users\user\AppData\Local\...\cxcore099.dll, PE32 9->55 dropped 57 4 other files (3 malicious) 9->57 dropped 14 ManyCam.exe 10 9->14         started        process5 file6 59 C:\Users\user\AppData\...\highgui099.dll, PE32 14->59 dropped 61 C:\Users\user\AppData\...\cximagecrt.dll, PE32 14->61 dropped 63 C:\Users\user\AppData\...\cxcore099.dll, PE32 14->63 dropped 65 4 other files (3 malicious) 14->65 dropped 93 Switches to a custom stack to bypass stack traces 14->93 95 Found direct / indirect Syscall (likely to bypass EDR) 14->95 18 ManyCam.exe 3 14->18         started        22 pcaui.exe 14->22         started        signatures7 process8 file9 39 C:\Users\user\AppData\...\installer.exe, PE32+ 18->39 dropped 77 Maps a DLL or memory area into another process 18->77 79 Switches to a custom stack to bypass stack traces 18->79 81 Found direct / indirect Syscall (likely to bypass EDR) 18->81 24 installer.exe 14 18->24         started        28 cmd.exe 2 18->28         started        30 pcaui.exe 18->30         started        signatures10 process11 file12 41 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 24->41 dropped 43 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 24->43 dropped 45 C:\Users\user\AppData\Local\...\python313.dll, PE32+ 24->45 dropped 49 9 other malicious files 24->49 dropped 83 Found pyInstaller with non standard icon 24->83 32 installer.exe 24->32         started        47 C:\Users\user\AppData\Local\...\uxmnjbxxdjlw, PE32 28->47 dropped 85 Injects code into the Windows Explorer (explorer.exe) 28->85 87 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 28->87 89 Writes to foreign memory regions 28->89 91 3 other signatures 28->91 34 explorer.exe 28->34         started        37 conhost.exe 28->37         started        signatures13 process14 signatures15 75 Switches to a custom stack to bypass stack traces 34->75
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lqmrprr7ycmyhvptds3spajcibpsqnslsokwvfwpmnpff5zyd4va._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery persistence privilege_escalation pyinstaller
Link:
https://tria.ge/reports/241125-rfjvcawrdj/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Detects Pyinstaller
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5e877bb4-1ad1-43f6-b8a7-d68696e9684c
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5c1917c63fc0/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5c1917c63fc09983d5f31cb7278122405f28364b93956a96cf635e52f7381f2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments