MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 14


Intelligence 14 IOCs YARA 16 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
SHA3-384 hash: 7c835278312d4a7b510f339c3e482e2dd19b58d042da3c2c4dcd1e62928c959ae3fe6b190719c35d6b47f4d4f723aeba
SHA1 hash: ccae17f7af60e39c547ac7564dc155b6f3e6802b
MD5 hash: f5e9ce0c42b88b04e8f4996a75cb76d4
humanhash: oxygen-fish-hot-mobile
File name:Anoma-dApp-installer_v1.31.5.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:38'637'428 bytes
First seen:2025-09-25 19:15:57 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:l50fowKEGnw8yRB0jctfLdJ4RndYOJNU9PXiQo1Jrix3rYYlQCod1D72tAtn:l+UDnw8ycjJRnqOJNU9f3o1g9plajfvt
Threatray 32 similar samples on MalwareBazaar
TLSH T1D587331236819031F78B21308856B3B614ED7E709B6487C3B7999B4E2FB49C16EB2F57
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JaffaCakes118
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68d59528cc9425144151eff6
Tags:
virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug anti-vm anti-vm base64 crypto evasive expired-cert explorer fingerprint fingerprint infostealer lolbin packed wix
Link:
https://www.filescan.io/uploads/68d59522c564c8e81d07e551/reports/2dfe790a-9439-4ffd-873d-f97ff83327c1/overview
Verdict:
Suspicious
Labled as:
ABTrojan.GRIP
Link:
https://www.hybrid-analysis.com/sample/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-09-25T16:33:00Z UTC
Last seen:
2025-09-25T16:33:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.DllHijack.gen Trojan.Win64.SBEscape.sb Trojan.Win32.Strab.sb Trojan.Win32.Penguish.sb Trojan.Win32.Crypt.sb
Link:
https://opentip.kaspersky.com/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9/results?tab=lookup
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
Gathering data
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-09-25 19:16:49 UTC
File Type:
Binary (Archive)
Extracted files:
44
AV detection:
17 of 37 (45.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sep4qs3hhwpghttzvbm5zeluheuh7zks54ojfx64wtl465cec3mq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
230f4de7b92166c695ad4f8bc469e2a39a31d0640ceb994d4f46f1afdabea90b
Rhadamanthys
5fe9e516f35fff47564762f9bcb9804f73df817ebe12f8fc4d85e586f4542b6b
Rhadamanthys
7109c74b24a883dbd37cf5d23a11642ed056d876e5120102ab860da498550e33
Rhadamanthys
72acf597de6ade41537a8d9d153e89064168ed780feeffc66ecf3081922fd87d
Rhadamanthys
746d422317975c2f8327071998e1ee98d2e76649ec1baa5575c1f7fe4c401832
Rhadamanthys
bcc062030c3615d3f8e42e3a2a0b4410e07cf5c845c72c95b56d41d81bac5f46
Rhadamanthys
error
Rhadamanthys
f1051b842f6ba781236e736bcb3a1ed9c10bc2036b6f9d2c43062e0bf7b25bba
Rhadamanthys
+ 22 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation pyinstaller stealer
Link:
https://tria.ge/reports/250925-xy7a9avzct/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Detects Pyinstaller
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/d7d81652-c4ae-481a-b26d-5ba78455d549
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/911fc84b673d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:Check_VBox_Description
Create hunting rule
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DetectEncryptedVariants
Create hunting rule
Author:Zinyth
Description:Detects 'encrypted' in ASCII, Unicode, base64, or hex-encoded
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:RIPEMD160_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for RIPEMD-160 constants
Rule name:SHA1_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for SHA1 constants
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 911fc84b673d9e63ce79a859dc917439287fe552ef1c92dfdcb4d7cf744416d9

(this sample)

  
Delivery method
Distributed via web download

Comments