MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
SHA3-384 hash: c03c363c29c394b5b015417ab7710e49eb3706214c11ed33732cf9287b1c18331c94e27083024d525a817ea9289d4b3c
SHA1 hash: 8612a1867ea1f4be5230189f76058b4358062437
MD5 hash: 00d55362d115215e85bcb4025ef38b96
humanhash: ceiling-edward-video-pip
File name:Set_Up.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:6'098'944 bytes
First seen:2025-10-22 12:07:31 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:SQZUs0ng9DHjGBPjOD31/SdzfF3gvc3H4iVJ5ZzjYksP3ssUdwCg5U+bBUjSnM+v:SQ900DDwPolSpBD9VjZz8NOd72mjSM
TLSH T143563345FC9F7A54CA6663790D7FF92AF514CCC0370BDD7A66A2F28A623E570809C092
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33726/
Verdict:
Clean
Score:
89.1%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f810fbad6ce0f5ad4074d8
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto expired-cert fingerprint installer short-lived-cert wix
Link:
https://www.filescan.io/uploads/68f8c90a3a79800405f0de07/reports/ed158346-7915-4784-873c-983c240ba60a/overview
Verdict:
Malicious
Labled as:
Generik.FVYZOBR trojan
Link:
https://www.hybrid-analysis.com/sample/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-21T20:13:00Z UTC
Last seen:
2025-10-23T13:59:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb HEUR:Trojan.OLE2.Alien.gen Trojan.Win64.SBEscape.sb Trojan.Win64.DLLhijack.bjt Trojan.Win64.DLLhijack.bjs
Link:
https://opentip.kaspersky.com/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134/results?tab=lookup
Result
Threat name:
HijackLoader, Nitol, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799764
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected HijackLoader
Yara detected Nitol
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1799764 Sample: Set_Up.msi Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 4 other signatures 2->53 8 msiexec.exe 79 39 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\So_Tool32.exe, PE32+ 8->33 dropped 35 C:\Users\user\AppData\Local\...\cmdres.DLL, PE32+ 8->35 dropped 37 C:\Users\user\AppData\Local\...\Paint.dll, PE32+ 8->37 dropped 13 So_Tool32.exe 6 8->13         started        process5 file6 39 C:\ProgramData\proiot\So_Tool32.exe, PE32+ 13->39 dropped 41 C:\ProgramData\proiot\cmdres.DLL, PE32+ 13->41 dropped 43 C:\ProgramData\proiot\Paint.dll, PE32+ 13->43 dropped 69 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 13->69 71 Found direct / indirect Syscall (likely to bypass EDR) 13->71 17 So_Tool32.exe 7 13->17         started        signatures7 process8 file9 27 C:\Users\user\PhaseFab128.exe, PE32 17->27 dropped 29 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\FA141D0.tmp, PE32 17->31 dropped 55 Drops PE files to the user root directory 17->55 57 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->57 59 Found hidden mapped module (file has been removed from disk) 17->59 61 3 other signatures 17->61 21 PhaseFab128.exe 17->21         started        25 Chime.exe 17->25         started        signatures10 process11 dnsIp12 45 194.33.61.249, 443, 49690, 49691 LEASEWEB-NL-AMS-01NetherlandsNL unknown 21->45 63 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->63 65 Switches to a custom stack to bypass stack traces 21->65 67 Found direct / indirect Syscall (likely to bypass EDR) 21->67 signatures13
Score:
6%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/00d55362d115215e85bcb4025ef38b96
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-21 19:47:19 UTC
File Type:
Binary (Archive)
Extracted files:
414
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nxkve5s2fdwcmljgu57iqofm6qrlkbgvtsghjtgjrq3iboerie2a._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/251022-pamyps1jcz/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/dbd7bf0d-2511-40b7-8b86-5067ddc443e1
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/6dd552765a28/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6dd552765a28ec262d26a77e8838acf422b504d59c8c74ccc98c3680b8914134

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33726/

Comments