MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
SHA3-384 hash: 65e58ef8517fa8cb7eb657bcea25f37cbb3be5f0faf5526d5a7ce7eafc160501a670ccb3f44c8301e1edeb20caa068f6
SHA1 hash: 7a31ce8548641fdbcd3b786b4677ff89369d34cb
MD5 hash: ff9df9674c4e0097a2c60f4658675b94
humanhash: pip-helium-princess-glucose
File name:Creative8.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:17'276'928 bytes
First seen:2025-08-26 14:57:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:XZZGETOQjr6h9XsvY11Qvqp9T4jMY+k90gp0BvA0GHRHtfVSuW:fPS3cQUCp9T4jMY+k4BIHRJVSuW
Threatray 255 similar samples on MalwareBazaar
TLSH T1DE073312BA80EB07E06D73BAF70BA724C5444DE8F74120836B91F5B992331E9B5D2F56
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:185-107-74-179 HIjackLoader msi Rhadamanthys


Avatar
iamaachum
https://www.youtube.com/post/Ugkxib61gYbH9u8HPyAyBuIFMsAlIvPQqMVM => https://rkns.link/xduw5 => https://lqlsozkmqkfjfka.info/static/Adobe.Photoshop.2025.rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
30
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23708/
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adcb66eb163e0ec182cca3
Tags:
shellcode virus spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
fingerprint installer packed wix
Link:
https://www.filescan.io/uploads/68adcc7e4a87ed79676c7106/reports/a97703e6-b03b-483a-82a4-9c59f25d17d9/overview
Verdict:
Suspicious
Labled as:
Generik.FQAKVGN trojan
Link:
https://www.hybrid-analysis.com/sample/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Verdict:
Malicious
File Type:
msi
First seen:
2025-08-26T10:28:00Z UTC
Last seen:
2025-08-26T10:28:00Z UTC
Hits:
~10
Detections:
BSS:Trojan.Win32.Generic.nblk BSS:Trojan.Win32.Generic Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Inject.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf/results?tab=lookup
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1765544
Signature
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1765544 Sample: Creative8.1.msi Startdate: 26/08/2025 Architecture: WINDOWS Score: 96 51 Found malware configuration 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 Yara detected HijackLoader 2->55 57 2 other signatures 2->57 8 msiexec.exe 91 51 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\zlibwapi.dll, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\libcurl.dll, PE32 8->35 dropped 37 C:\Users\user\AppData\...\VCRUNTIME140.dll, PE32 8->37 dropped 39 12 other files (none is malicious) 8->39 dropped 13 Gam-Evaluator.exe 18 8->13         started        process5 file6 41 C:\ProgramData\launchjavabehaviorgrapham-Evaluator.exe, PE32 13->41 dropped 43 C:\ProgramData\launchjava\zlibwapi.dll, PE32 13->43 dropped 45 C:\ProgramData\launchjava\libcurl.dll, PE32 13->45 dropped 47 12 other files (none is malicious) 13->47 dropped 71 Switches to a custom stack to bypass stack traces 13->71 17 Gam-Evaluator.exe 7 13->17         started        signatures7 process8 file9 27 C:\Users\user\SigmInterface.exe, PE32 17->27 dropped 29 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\...\4E3FB35.tmp, PE32 17->31 dropped 59 Drops PE files to the user root directory 17->59 61 Found hidden mapped module (file has been removed from disk) 17->61 63 Maps a DLL or memory area into another process 17->63 65 2 other signatures 17->65 21 SigmInterface.exe 17->21         started        25 Chime.exe 17->25         started        signatures10 process11 dnsIp12 49 185.107.74.179, 443, 49721, 49723 AIREEIPv4RU01UpstreamRTCOMMRU Russian Federation 21->49 67 Switches to a custom stack to bypass stack traces 21->67 69 Found direct / indirect Syscall (likely to bypass EDR) 21->69 signatures13
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqhwjw2uh4tn5k3yvolglhhux4n5v2ln7g5pkqdpc3wyk6i3tc7q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
3c2d3dd2705831ed8bd4fc730ee21877b8a28b54455c0332e3eeba157707bcb7
Rhadamanthys
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
c2eeeef83d6a7c470cccd364369d227ba7665b1c128f5e5128f47d508be9c4db
Rhadamanthys
c3d9dd9bab61c9f89d63481bb2bb18083dfe6f6a661310ed428b9efa893b65e7
Rhadamanthys
ce91c00c4647bb1043e1a1edf70a50db6bbc92d480ad54143d40b31a8c54e4e0
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
+ 245 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250826-sek7fs1jz8/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/c42fe585-ccd0-4aa3-90e2-b466f9f56d2b
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8c0f64db543f/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 8c0f64db543f26deab78ab96659cf4bf1bdae96df9baf5406f16ed85791b98bf

(this sample)

  
Link
https://tria.ge/250826-r344sshk3y/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23708/

Comments