MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9
SHA3-384 hash: 64cb1310f0c5e3c2407649ed092d20ab557ddd7913f17d7d597076cb752199e66f38b907bcc4f8f757fcf7d38cb13215
SHA1 hash: 9cadc7090440ad07e21beb31bf9c5dd154428c17
MD5 hash: 78879cbaf4e9e7156eb01cb67edc247e
humanhash: asparagus-oranges-low-pennsylvania
File name:setup.zip
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:2'326'501 bytes
First seen:2025-10-16 17:15:39 UTC
Last seen:Never
File type: zip
MIME type:application/zip
ssdeep 1536:Cg8b6y9ya3UGxlmPXkeCbO2Ax3h4aPgnE2vlDiT16jACRdv:j8b6y9ZmP0fxAxx4hnviTAj9dv
TLSH T1C3B506C165310AF0BFD7148F7E9653C2859E3E36A1CF0BF27F15A389AA78D1125E2294
Magika zip
Reporter burger
Tags:file-pumped Rhadamanthys zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
NL NL
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:setup.exe
Pumped file This file is pumped. MalwareBazaar has de-pumped it.
File size:891'289'600 bytes
SHA256 hash: fd2ed5a062c4f1acfa2ad5a2d6417c007ee50f2f18988f6da7bd75971807121f
MD5 hash: 65a0aa9af5b187cddd06a448621ed2b4
De-pumped file size:145'920 bytes (Vs. original size of 891'289'600 bytes)
De-pumped SHA256 hash: 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
De-pumped MD5 hash: 23de8dd16fd0bb828096dc77e1d3fe5e
MIME type:application/x-dosexec
Signature Rhadamanthys
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f1286972d478f905985e4e
Tags:
n/a
Result
Verdict:
Malicious
File Type:
ZIP File - Malicious
Link:
https://app.docguard.net/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9/results/dashboard
Behaviour
SuspiciousEmbeddedObjects detected
Gathering data
Verdict:
Suspicious
Labled as:
HEUR/Pumpar.Generic
Link:
https://www.hybrid-analysis.com/sample/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9
Verdict:
Clean
File Type:
zip
Link:
https://opentip.kaspersky.com/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9/results?tab=lookup
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9
Verdict:
Malware
YARA:
3 match(es)
Tags:
CVE-2019-13232 CVE-2019-9674 CVE-2022-29225 CVE-2022-36114 CVE-2023-46104 CVE-2024-0450 Executable Malicious PDB Path PE (Portable Executable) PE File Layout Zip Archive Zip Bomb
Link:
https://app.malva.re/file/78879cbaf4e9e7156eb01cb67edc247e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9/
Threat name:
Binary.Trojan.Pumpar
Create hunting rule
Status:
Malicious
First seen:
2025-10-16 17:16:35 UTC
AV detection:
10 of 38 (26.32%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ukmicplwexzs24mxyzoitrb7vckx7dktyn26mgukjbsw4igvppuq._file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.26
Link:
https://yomi.yoroi.company/submissions/a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Any_SU_Domain
Create hunting rule
Author:you
Description:Detect any reference to .su domains or subdomains
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:PK_PUMP_AND_DUMP
Create hunting rule
Author:Will Metcalf @node5
Description:Walks Zip Central Directory filename entries looking for abused extension then checks for a file that's at least 25M and then check to see how much uncompressed size is vs compressed size
Rule name:weird_zip_high_compression_ratio
Create hunting rule
Author:Maxime THIEBAUT (@0xThiebaut)
Description:Detects single-entry ZIP files with a suspiciously high compression ratio (>100:1) and decompressed size above the 500MB AV limit
Reference:https://twitter.com/Cryptolaemus1/status/1633099154623803394

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Rhadamanthys

zip a298813d7625f32d7197c65c89c43fa8957f8d53c375e61a8a48656e20d57be9

(this sample)

Rhadamanthys

Executable exe 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07

  
Dropping
SHA256 415c17f6478a1ae3396eee646a2025c9c531d25becb62dc460e2815fb5d34e07
  
Dropping
MD5 23de8dd16fd0bb828096dc77e1d3fe5e

Comments