MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3
SHA3-384 hash: b35f219d86edd0082c0d3d7cbed0ff626598296db3d7b9cfdb41218ae46c1a11c5e5de79349be738cdadf6e5609de41e
SHA1 hash: 5f2e1189780680dd29fdfff5760ea0a06bae7320
MD5 hash: e09ec3c3df6a8cb5f93a1a467cba7e89
humanhash: cold-kansas-gee-blue
File name:Set_Up.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:4'182'016 bytes
First seen:2025-10-21 05:54:27 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:jjA6d8XaSMnmx713yy3TgDz7JisUD4VzVHSEkm:jjAw8KqxZ3yy3UDz7kssAVY
TLSH T1A41633C678EB8FB7CBA6C2B55302B5544DF0DC055A23EB6AF88C72E90C353B96046725
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/33583/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f5f247c949ca4fcbe398a2
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug expired-cert fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/68f72066c85c5c56972ff519/reports/ce4db1cc-c953-47c4-8696-74d9a251017a/overview
Verdict:
Malicious
Labled as:
Generik.DDZXTEH trojan
Link:
https://www.hybrid-analysis.com/sample/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-20T05:32:00Z UTC
Last seen:
2025-10-22T18:04:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Delf.sb Trojan.Win32.Crypt.sb HEUR:Trojan.OLE2.Delf.gen
Link:
https://opentip.kaspersky.com/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3/results?tab=lookup
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1798889
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to steal Mail credentials (via file registry)
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1798889 Sample: Set_Up.msi Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 Multi AV Scanner detection for dropped file 2->55 57 4 other signatures 2->57 8 msiexec.exe 83 43 2->8         started        11 msiexec.exe 3 2->11         started        process3 file4 33 C:\Users\user\AppData\Local\...\webres.dll, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 8->35 dropped 37 C:\Users\user\AppData\Local\...\rtl120.bpl, PE32 8->37 dropped 39 4 other malicious files 8->39 dropped 13 D-Switch58.exe 16 8->13         started        process5 file6 41 C:\ProgramData\MSrunner_service\webres.dll, PE32 13->41 dropped 43 C:\ProgramData\MSrunner_service\vcl120.bpl, PE32 13->43 dropped 45 C:\ProgramData\...\D-Switch58.exe, PE32 13->45 dropped 47 4 other files (none is malicious) 13->47 dropped 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 13->73 75 Tries to steal Mail credentials (via file registry) 13->75 77 Switches to a custom stack to bypass stack traces 13->77 17 D-Switch58.exe 9 13->17         started        signatures7 process8 file9 27 C:\Users\user\BeacEngine.exe, PE32 17->27 dropped 29 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 17->29 dropped 31 C:\Users\user\AppData\Local\Temp\A369E2.tmp, PE32 17->31 dropped 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->59 61 Drops PE files to the user root directory 17->61 63 Found hidden mapped module (file has been removed from disk) 17->63 65 3 other signatures 17->65 21 BeacEngine.exe 17->21         started        25 Chime.exe 17->25         started        signatures10 process11 dnsIp12 49 185.107.74.119, 443, 49690 AIREEIPv4RU01UpstreamRTCOMMRU Russian Federation 21->49 67 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 21->67 69 Switches to a custom stack to bypass stack traces 21->69 71 Found direct / indirect Syscall (likely to bypass EDR) 21->71 signatures13
Score:
5%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/e09ec3c3df6a8cb5f93a1a467cba7e89
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-20 03:11:30 UTC
File Type:
Binary (Archive)
Extracted files:
187
AV detection:
13 of 24 (54.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sadwmhsi5hklgjictmeksqnkthjrlyz34zewhag2z4ry6c4vztzq._file
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/251021-gvlx5s1qen/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9007661e48e9d4b325029b08a941aa99d315e33be6496380dacf238f0b95ccf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33583/

Comments