MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments

SHA256 hash: 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
SHA3-384 hash: 7c835278312d4a7b510f339c3e482e2dd19b58d042da3c2c4dcd1e62928c959ae3fe6b190719c35d6b47f4d4f723aeba
SHA1 hash: ccae17f7af60e39c547ac7564dc155b6f3e6802b
MD5 hash: f5e9ce0c42b88b04e8f4996a75cb76d4
humanhash: oxygen-fish-hot-mobile
File name:Anoma-dApp-installer_v1.31.5.msi
Download: download sample
Signature Rhadamanthys
File size:38'637'428 bytes
First seen:2025-09-25 19:15:57 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:l50fowKEGnw8yRB0jctfLdJ4RndYOJNU9PXiQo1Jrix3rYYlQCod1D72tAtn:l+UDnw8ycjJRnqOJNU9f3o1g9plajfvt
Threatray 32 similar samples on MalwareBazaar
TLSH T1D587331236819031F78B21308856B3B614ED7E709B6487C3B7999B4E2FB49C16EB2F57
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JaffaCakes118
Tags:msi Rhadamanthys

Intelligence


File Origin
# of uploads :
1
# of downloads :
68
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Tags:
virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm base64 crypto evasive expired-cert explorer fingerprint fingerprint infostealer lolbin packed wix
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-25T16:33:00Z UTC
Last seen:
2025-09-25T16:33:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.DllHijack.gen Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb
Gathering data
Threat name:
Win32.Trojan.Etset
Status:
Malicious
First seen:
2025-09-25 19:16:49 UTC
File Type:
Binary (Archive)
Extracted files:
44
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Result
Malware family:
rhadamanthys
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation pyinstaller stealer
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Malware family:
IDATLoader
Verdict:
Malicious
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_VBox_Description
Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Author:malware-lu
Rule name:RANSOMWARE
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:vmdetect
Author:nex
Description:Possibly employs anti-virtualization techniques

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9

(this sample)

  
Delivery method
Distributed via web download

Comments