MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98
SHA3-384 hash: e8df7cd9babb4401f0d965939ba25caec9c896c81a171512c4d05afd261378c50813831fdc1c989ceccd834eb1c35d99
SHA1 hash: 0fa1fcef5a8b131a85b25aef826297e2d8bc94fe
MD5 hash: e841a5224ff2032f9adbb43caffbb8be
humanhash: nuts-triple-low-sweet
File name:Setup_v1.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'723'328 bytes
First seen:2025-08-19 21:59:54 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:wvu4pW9X7UFBAHZt13lEkGOz3lg7W8Fa7cQ+YNRDDfdAU9kvE+0sTN4Dw8L:whe+ABlEMR8Js1NRDjdAU9ix0sRChL
Threatray 251 similar samples on MalwareBazaar
TLSH T127B633767685B02DF48F953C0F0B89A0D97C4D01B68B664B979CF72022772E3F699D60
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder


Avatar
iamaachum
https://download.hostup.me/ => https://app.box.com/shared/static/l4rk8351obgtle6j3hgokdgj09lwg7i2.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
34
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22338/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68a4f41fc2f5296a1a285845
Tags:
shellcode overt spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/68a4f42b419c816a6e8ca00c/reports/241666a3-f621-4e77-b205-3199d910f40e/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1760622
Signature
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Early bird code injection technique detected
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected HijackLoader
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1760622 Sample: Setup_v1.1.msi Startdate: 20/08/2025 Architecture: WINDOWS Score: 100 84 x.ns.gin.ntt.net 2->84 86 time.google.com 2->86 88 9 other IPs or domains 2->88 116 Found malware configuration 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 Yara detected HijackLoader 2->120 122 2 other signatures 2->122 12 msiexec.exe 84 44 2->12         started        15 msedge.exe 2->15         started        18 elevation_service.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 76 C:\Users\user\AppData\Roaming\...\QtXml4.dll, PE32 12->76 dropped 78 C:\Users\user\AppData\...\QtWebKit4.dll, PE32 12->78 dropped 80 C:\Users\user\AppData\...\QtNetwork4.dll, PE32 12->80 dropped 82 5 other malicious files 12->82 dropped 22 GBroker64.exe 11 12->22         started        114 239.255.255.250 unknown Reserved 15->114 26 msedge.exe 15->26         started        29 msedge.exe 15->29         started        31 msedge.exe 15->31         started        33 msedge.exe 15->33         started        file6 process7 dnsIp8 68 C:\ProgramData\RB_CtrlbehaviorgraphBroker64.exe, PE32 22->68 dropped 70 C:\ProgramData\RB_Ctrl\QtXml4.dll, PE32 22->70 dropped 72 C:\ProgramData\RB_Ctrl\QtWebKit4.dll, PE32 22->72 dropped 74 5 other files (none is malicious) 22->74 dropped 132 Switches to a custom stack to bypass stack traces 22->132 35 GBroker64.exe 7 22->35         started        102 s-part-0012.t-0009.t-msedge.net 13.107.246.40, 443, 49715, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->102 104 ln-0007.ln-msedge.net 150.171.22.17, 443, 49712 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->104 106 11 other IPs or domains 26->106 file9 signatures10 process11 file12 62 C:\Users\user\ByGenerator.exe, PE32 35->62 dropped 64 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 35->64 dropped 66 C:\Users\user\AppData\Local\Temp\4B22D7.tmp, PE32 35->66 dropped 124 Drops PE files to the user root directory 35->124 126 Found hidden mapped module (file has been removed from disk) 35->126 128 Maps a DLL or memory area into another process 35->128 130 2 other signatures 35->130 39 ByGenerator.exe 35->39         started        43 Chime.exe 35->43         started        signatures13 process14 dnsIp15 90 cloudflare-dns.com 104.16.248.249, 443, 49685, 49692 CLOUDFLARENETUS United States 39->90 92 104.21.48.1, 443, 49686 CLOUDFLARENETUS United States 39->92 94 5 other IPs or domains 39->94 134 Switches to a custom stack to bypass stack traces 39->134 136 Found direct / indirect Syscall (likely to bypass EDR) 39->136 45 dllhost.exe 6 39->45         started        signatures16 process17 dnsIp18 108 shim2.tropixgo.com 45->108 110 time-a-g.nist.gov 129.6.15.28, 123, 59550 US-NATIONAL-INSTITUTE-OF-STANDARDS-AND-TECHNOLOGYUS United States 45->110 112 7 other IPs or domains 45->112 138 System process connects to network (likely due to code injection or exploit) 45->138 140 Early bird code injection technique detected 45->140 142 Tries to harvest and steal browser information (history, passwords, etc) 45->142 144 2 other signatures 45->144 49 chrome.exe 1 45->49         started        51 msedge.exe 14 45->51         started        53 chrome.exe 45->53         started        signatures19 process20 process21 55 chrome.exe 49->55         started        58 chrome.exe 49->58         started        60 msedge.exe 51->60         started        dnsIp22 96 googlehosted.l.googleusercontent.com 142.251.40.97, 443, 49709, 49710 GOOGLEUS United States 55->96 98 127.0.0.1 unknown unknown 55->98 100 clients2.googleusercontent.com 55->100
Score:
10%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
.Net CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/e841a5224ff2032f9adbb43caffbb8be
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-08-19 20:45:31 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tyfvmkgtarfnnuwpf2ho2hhrls63szwmtcez6xq6au5mhkp77oma._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
21410f2d5da769fab3f5c9d3d2f6aeec19d1f7b4d2a04e1370491aece6517a0a
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Rhadamanthys
bad586a884eb7b1edcafc832a9ecf192e85b084d0e9b77423b9e5494ed7d44e2
Rhadamanthys
daa1e8c37f131efe55995260e3772db5bfe8d3d5c5c96d2adc7a55492aab0bae
Rhadamanthys
error
Rhadamanthys
+ 241 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250819-1xdt4agq51/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3b28951e-d356-41cd-bf55-69a408a9df9e
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9e0b5628d304/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi 9e0b5628d3044ad6d2cf2e8eed1cf15cbdb966cc98899f5e1e053ac3a9fffb98

(this sample)

  
Link
https://tria.ge/250819-1hjf2axxav/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/22338/

Comments