MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
SHA3-384 hash: 0adece8126f5d12b81549265588ec61740794c8a426bfb3883f02133e849b432059f13a866c5f3d4872384ae354ef783
SHA1 hash: d3738a1f33009871240bbfd700b627b820d2b198
MD5 hash: c310c1044811f0e286b472d38f6c1e49
humanhash: three-eleven-mountain-enemy
File name:KmsSetup.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:8'577'024 bytes
First seen:2025-08-01 17:29:25 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:slXgubvdkXzULQyoKxmWljY8u1SwPlJuaXD:OdrQyPmWu1cwtJHXD
Threatray 176 similar samples on MalwareBazaar
TLSH T1C3863329FCE19F3BC356153B691781A02CDDECD4237C32A97B9FF9048938A184EA6715
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder


Avatar
iamaachum
https://tria.ge/250801-vkgsbsdr7w/behavioral2 => https://www.mediafire.com/file/pg537uteylk8a28/%C4%B6M%C5%9AP1%C4%8A%C5%8C_Setup_Edition_2025_x64_x86_Activation_2025.zip/file

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18347/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688cfa1f0b4775fb2134b02d
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug installer keylogger wix
Link:
https://www.filescan.io/uploads/688cf9cf73b8ef6f4afa239e/reports/41171a61-2d75-41ae-9785-d2135eb88f83/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1748643
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1748643 Sample: KmsSetup.msi Startdate: 01/08/2025 Architecture: WINDOWS Score: 100 103 x.ns.gin.ntt.net 2->103 105 updatecheck34.activated.win 2->105 107 21 other IPs or domains 2->107 115 Found malware configuration 2->115 117 Malicious sample detected (through community Yara rule) 2->117 119 Yara detected HijackLoader 2->119 121 Yara detected Powershell download and execute 2->121 14 msiexec.exe 84 44 2->14         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 95 C:\Users\user\AppData\Local\Temp\...\ns.dll, PE32 14->95 dropped 97 C:\Users\user\AppData\Local\...\mfc140u.dll, PE32 14->97 dropped 99 C:\Users\user\AppData\...\libcrypto-1_1.dll, PE32 14->99 dropped 101 5 other files (none is malicious) 14->101 dropped 19 ValidatorF.exe 11 14->19         started        process6 file7 79 C:\ProgramData\FmDemogs\ValidatorF.exe, PE32 19->79 dropped 81 C:\ProgramData\FmDemogs\ns.dll, PE32 19->81 dropped 83 C:\ProgramData\FmDemogs\mfc140u.dll, PE32 19->83 dropped 85 5 other files (none is malicious) 19->85 dropped 125 Switches to a custom stack to bypass stack traces 19->125 23 ValidatorF.exe 23 19->23         started        signatures8 process9 file10 87 C:\Users\user\CacheIn32.exe, PE32 23->87 dropped 89 C:\Users\user\AppData\Roaming\...\444.bat, ASCII 23->89 dropped 91 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 23->91 dropped 93 15 other files (none is malicious) 23->93 dropped 135 Drops PE files to the user root directory 23->135 137 Found hidden mapped module (file has been removed from disk) 23->137 139 Maps a DLL or memory area into another process 23->139 141 2 other signatures 23->141 27 cmd.exe 1 23->27         started        29 CacheIn32.exe 23->29         started        signatures11 process12 dnsIp13 33 cmd.exe 1 27->33         started        35 conhost.exe 27->35         started        111 cloudflare-dns.com 104.16.248.249, 443, 49690, 49722 CLOUDFLARENETUS United States 29->111 113 shim2.vurtobix.com 104.21.23.193, 443, 49691, 49693 CLOUDFLARENETUS United States 29->113 145 Switches to a custom stack to bypass stack traces 29->145 147 Found direct / indirect Syscall (likely to bypass EDR) 29->147 signatures14 process15 process16 37 cmd.exe 1 33->37         started        40 conhost.exe 33->40         started        signatures17 127 Uses ping.exe to sleep 37->127 129 Uses cmd line tools excessively to alter registry or file data 37->129 131 Uses ping.exe to check the status of other devices and networks 37->131 133 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 37->133 42 cmd.exe 1 37->42         started        45 cmd.exe 1 37->45         started        47 cmd.exe 1 37->47         started        49 19 other processes 37->49 process18 signatures19 143 Uses cmd line tools excessively to alter registry or file data 42->143 51 cmd.exe 42->51         started        54 cmd.exe 42->54         started        56 cmd.exe 42->56         started        68 21 other processes 42->68 58 cmd.exe 1 45->58         started        60 cmd.exe 1 45->60         started        62 powershell.exe 15 47->62         started        64 mode.com 1 49->64         started        66 conhost.exe 49->66         started        process20 signatures21 123 Uses ping.exe to sleep 51->123 70 PING.EXE 51->70         started        73 PING.EXE 54->73         started        75 powershell.exe 56->75         started        77 mode.com 68->77         started        process22 dnsIp23 109 activated.win 104.21.24.156 CLOUDFLARENETUS United States 70->109
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a/
Verdict:
Malicious
Threat:
Win32.Certificate.Invalid
Link:
https://tip.neiki.dev/file/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rmvqjzmroltzv5lqe4euyrzexfri6m4anjckgr336kfh6v5nwmfa._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
0a5bb6b29e70f99c51cc97726ceab44771dca068cc5d56780c9abf71662bb287
Rhadamanthys
17147a94eee765ba45e6614e21945d7f2d9e1020228d2953ed0ac091df03c784
Rhadamanthys
3a52d91b4d116a614f2a76d7fd58b88c086f28375942368c8b913796000a43db
Rhadamanthys
8139a31922af1ba39388b3aac3cf3a4c46ef235049347186d9cee83998c03b87
Rhadamanthys
89990966e7fd361dd449c1e8e05ecf8e4c7dcd557d6c354dda2c8b7e8fa6b5d6
Rhadamanthys
8e3fdb3882dcbe771400e696f7f66480960c46b42f95cc49edd00edb252c9c26
Rhadamanthys
ad3ea6a4067d44f0183645de77363c1bf86b8ea5fd0be55f5611cc408aa4a0a8
Rhadamanthys
ade883f98d4d4019c879d81e22be84b2f63798367db9aaefc1ee9525d0f96a9c
Rhadamanthys
cf7fbf3d1d77755e4f93437db9a125650a1d8dbe36e9e9ada012f6de1b175be1
Rhadamanthys
d9099dc0e0b217beca26b3d9074df946a34bd5cad3b6bba5e1473b5395de927b
Rhadamanthys
error
Rhadamanthys
+ 166 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250801-v3fyra1vgw/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/41c0c53e-3421-4069-928d-e5c7617660f3
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8b2b04e59172/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a

(this sample)

  
Link
https://tria.ge/250801-vkgsbsdr7w/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18347/

Comments