MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
SHA3-384 hash: 1e6f42c1cd873a46418785d62f2390f23d0382227fb3206cdc116ff5b4bb39103acc50fd7702c10856e73762fbb8525f
SHA1 hash: f3bbc48a68b0fdb1eee9253e7a6cadaa9503c36f
MD5 hash: 3c83d3325933e2ca560781cf4930c593
humanhash: uniform-video-blue-pizza
File name:e585b1b.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'570'560 bytes
First seen:2025-08-02 14:35:39 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:W43ukWzGl5j0Gapc3aBRSIZTll1g7i3Kv3xIVaKBa3b099VQ16pmrqhzrLp9UVrf:jt5j0VBRLBlWL3xDR3b01G6pM4fNCV7
Threatray 225 similar samples on MalwareBazaar
TLSH T1C046339539F0BFC2FAEF6AFAA2016A8506FF9DB48E16D0D040F3B4217438655191ADF4
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder shim4-familygater-com

Intelligence

File Origin
# of uploads :
1
# of downloads :
44
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18464/
Verdict:
Malicious
Score:
91.7%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e226e0b4775fb21353252
Tags:
overt spawn crypt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer wix
Link:
https://www.filescan.io/uploads/688e226a73b8ef6f4afb4ac0/reports/ad0b7758-64dd-4436-809c-afd768bff614/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749079
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749079 Sample: e585b1b.msi Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 115 updatecheck34.activated.win 2->115 117 cloudflare-dns.com 2->117 119 activated.win 2->119 127 Found malware configuration 2->127 129 Malicious sample detected (through community Yara rule) 2->129 131 Yara detected HijackLoader 2->131 133 2 other signatures 2->133 13 msiexec.exe 81 41 2->13         started        16 svchost.exe 2->16         started        19 msiexec.exe 3 2->19         started        signatures3 process4 dnsIp5 99 C:\Users\user\AppData\Local\...\AdvaHub.exe, PE32+ 13->99 dropped 101 C:\Users\user\...\lib_TSDeviceViewerSDK.dll, PE32+ 13->101 dropped 103 C:\Users\user\...\lib_TSCommunication_sdk.dll, PE32+ 13->103 dropped 105 2 other files (none is malicious) 13->105 dropped 21 AdvaHub.exe 8 13->21         started        107 127.0.0.1 unknown unknown 16->107 file6 process7 file8 83 C:\ProgramData\...\AdvaHub.exe, PE32+ 21->83 dropped 85 C:\ProgramData\...\lib_TSDeviceViewerSDK.dll, PE32+ 21->85 dropped 87 C:\...\lib_TSCommunication_sdk.dll, PE32+ 21->87 dropped 89 2 other files (none is malicious) 21->89 dropped 139 Found direct / indirect Syscall (likely to bypass EDR) 21->139 25 AdvaHub.exe 23 21->25         started        signatures9 process10 file11 91 C:\Users\user\AppData\Local\MatrixVeri.exe, PE32 25->91 dropped 93 C:\Users\user\AppData\Roaming\...\444.bat, ASCII 25->93 dropped 95 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 25->95 dropped 97 15 other files (none is malicious) 25->97 dropped 145 Found hidden mapped module (file has been removed from disk) 25->145 147 Maps a DLL or memory area into another process 25->147 149 Found direct / indirect Syscall (likely to bypass EDR) 25->149 29 cmd.exe 1 25->29         started        32 MatrixVeri.exe 25->32         started        signatures12 process13 dnsIp14 151 Uses ping.exe to sleep 29->151 153 Uses cmd line tools excessively to alter registry or file data 29->153 155 Uses ping.exe to check the status of other devices and networks 29->155 157 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 29->157 35 cmd.exe 1 29->35         started        38 conhost.exe 29->38         started        109 cloudflare-dns.com 104.16.248.249, 443, 49702, 49705 CLOUDFLARENETUS United States 32->109 111 104.21.32.1, 443, 49706 CLOUDFLARENETUS United States 32->111 113 5 other IPs or domains 32->113 159 Switches to a custom stack to bypass stack traces 32->159 161 Found direct / indirect Syscall (likely to bypass EDR) 32->161 signatures15 process16 signatures17 135 Uses cmd line tools excessively to alter registry or file data 35->135 137 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 35->137 40 cmd.exe 1 35->40         started        43 cmd.exe 1 35->43         started        45 cmd.exe 1 35->45         started        47 17 other processes 35->47 process18 signatures19 141 Uses cmd line tools excessively to alter registry or file data 40->141 143 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 40->143 49 cmd.exe 40->49         started        52 cmd.exe 40->52         started        54 cmd.exe 40->54         started        66 23 other processes 40->66 56 cmd.exe 1 43->56         started        58 cmd.exe 1 43->58         started        60 powershell.exe 8 15 45->60         started        62 mode.com 1 47->62         started        64 conhost.exe 47->64         started        process20 signatures21 123 Uses ping.exe to sleep 49->123 68 PING.EXE 49->68         started        71 PING.EXE 52->71         started        125 Uses cmd line tools excessively to alter registry or file data 54->125 73 reg.exe 54->73         started        75 cmd.exe 66->75         started        77 cmd.exe 66->77         started        79 powershell.exe 66->79         started        81 mode.com 66->81         started        process22 dnsIp23 121 activated.win 104.21.24.156 CLOUDFLARENETUS United States 68->121
Score:
8%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb/
Verdict:
Malicious
Threat:
Family.LUMMA
Link:
https://tip.neiki.dev/file/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Threat name:
Win32.Trojan.Egairtigado
Create hunting rule
Status:
Malicious
First seen:
2025-08-02 14:36:34 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lzzn5h3hrgu43i67t54uvm7cn743erqr5x46b4glytlklwhejo5q._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
49ef9e71394d2e271367f84ce0d1c48654f4e33c73bb106e79b78c7b11165448
Rhadamanthys
4de6d6ec40ea5f34c83708e525fe46d4d661f3211ba2484bb8380bd2659927fe
Rhadamanthys
532cd786f23abb9843f9cc60e50f6b7a1e2e83061ef78cda92034ca52a59971d
Rhadamanthys
5d251fd02e2d0e0e9bd67dba8cd808b8f8011faee8bed973fb19254a99fa784a
Rhadamanthys
88a98376391806a7de1cb1fa647721da286aa0b3e34ba8b943ad5c31a7d78001
Rhadamanthys
b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Rhadamanthys
dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Rhadamanthys
eb5558d414c6f96efeb30db704734c463eb08758a3feacf452d743ba5f8fe662
Rhadamanthys
eecf73aec1df3ecf4a12ccb43aa38375ab65987f2e8ee9efb0e061052c319a05
Rhadamanthys
error
Rhadamanthys
+ 215 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250802-ryr9fa1ycz/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/400854ac-76f7-4ee6-ae11-c15758e7d6a9
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/5e72de9f6789/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Executable exe fed43d218c0e10df84e6d534358b859e9ed6fc3747f78de0081a6700f3f6b4c0

Rhadamanthys

Microsoft Software Installer (MSI) msi 5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb

(this sample)

  
Link
https://tria.ge/250802-rtms6a1xgw/behavioral2
  
Dropped by
SHA256 fed43d218c0e10df84e6d534358b859e9ed6fc3747f78de0081a6700f3f6b4c0
  
Delivery method
Distributed via web download
  
Dropped by
MD5 2f43403c9ac75a091fca172c28e09ea2
Cape
Cape
https://www.capesandbox.com/analysis/18464/

Comments