MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
SHA3-384 hash: 3bae0d76b0182f129da8635339c9f7f286b0bbf465e03127e210f70a9e97200c6434c5a976bd3fcf16dc8dbf7e1d906d
SHA1 hash: 8462fdf961caff7104867eb10addfb2dc09c7da3
MD5 hash: 77f3df5d3183f86175fd4fd4c4079333
humanhash: carpet-jig-spaghetti-table
File name:KmsSetup_v1.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:10'391'552 bytes
First seen:2025-08-08 23:31:45 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:9LFoWCPjNBi2/3Nr33iKlTBtFXHVUWiCN4fi9512X0wYK:FFoW4j7dr3PlTJVBiq5kX0wN
TLSH T179A633347D625350E621597B0A33A327E147EE0DAF41709765A2BEBB8170F22F7E812D
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder


Avatar
iamaachum
https://kmspico-download.celebritympg.com/ => https://app.box.com/shared/static/lewstso2w9wzgumme91ylms4drucbwzf.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19770/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689689141e8a59ee04e7b02c
Tags:
shellcode virus overt
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint installer threat wix
Link:
https://www.filescan.io/uploads/689689212fbe0788fb1c923c/reports/9e0fe92b-d121-4cf1-a283-a963d1b8e83c/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1753414
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Potentially malicious time measurement code found
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1753414 Sample: KmsSetup_v1.1.msi Startdate: 09/08/2025 Architecture: WINDOWS Score: 100 120 x.ns.gin.ntt.net 2->120 122 updatecheck34.activated.win 2->122 124 22 other IPs or domains 2->124 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Multi AV Scanner detection for dropped file 2->136 138 4 other signatures 2->138 14 msiexec.exe 90 50 2->14         started        17 svchost.exe 2->17         started        20 msiexec.exe 3 2->20         started        signatures3 process4 dnsIp5 104 C:\Users\user\AppData\...\sqlite3_plex.dll, PE32 14->104 dropped 106 C:\Users\user\AppData\Local\...\nghttp2.dll, PE32 14->106 dropped 108 C:\Users\user\AppData\Local\...\libssl-3.dll, PE32 14->108 dropped 110 11 other malicious files 14->110 dropped 22 AssemblerBinary.exe 17 14->22         started        118 127.0.0.1 unknown unknown 17->118 file6 process7 file8 88 C:\ProgramData\...\sqlite3_plex.dll, PE32 22->88 dropped 90 C:\ProgramData\readerConfig\nghttp2.dll, PE32 22->90 dropped 92 C:\ProgramData\readerConfig\libssl-3.dll, PE32 22->92 dropped 94 11 other files (4 malicious) 22->94 dropped 144 Switches to a custom stack to bypass stack traces 22->144 26 AssemblerBinary.exe 23 22->26         started        signatures9 process10 file11 96 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 26->96 dropped 98 api-ms-win-core-localization-l1-2-0.dll, PE32 26->98 dropped 100 api-ms-win-core-libraryloader-l1-1-0.dll, PE32 26->100 dropped 102 15 other malicious files 26->102 dropped 154 Found hidden mapped module (file has been removed from disk) 26->154 156 Maps a DLL or memory area into another process 26->156 158 Switches to a custom stack to bypass stack traces 26->158 160 2 other signatures 26->160 30 cmd.exe 1 26->30         started        32 VirtualMonito.exe 26->32         started        signatures12 process13 dnsIp14 36 cmd.exe 1 30->36         started        38 conhost.exe 30->38         started        112 cloudflare-dns.com 104.16.248.249, 443, 49701, 49705 CLOUDFLARENETUS United States 32->112 114 104.21.48.1, 443, 49706 CLOUDFLARENETUS United States 32->114 116 2 other IPs or domains 32->116 128 Switches to a custom stack to bypass stack traces 32->128 130 Found direct / indirect Syscall (likely to bypass EDR) 32->130 signatures15 process16 process17 40 cmd.exe 1 36->40         started        43 conhost.exe 36->43         started        signatures18 146 Uses ping.exe to sleep 40->146 148 Uses cmd line tools excessively to alter registry or file data 40->148 150 Uses ping.exe to check the status of other devices and networks 40->150 152 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 40->152 45 cmd.exe 1 40->45         started        48 cmd.exe 1 40->48         started        50 cmd.exe 1 40->50         started        52 17 other processes 40->52 process19 signatures20 162 Uses cmd line tools excessively to alter registry or file data 45->162 164 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 45->164 54 cmd.exe 45->54         started        57 cmd.exe 45->57         started        59 cmd.exe 45->59         started        71 23 other processes 45->71 61 cmd.exe 1 48->61         started        63 cmd.exe 1 48->63         started        65 powershell.exe 8 15 50->65         started        67 mode.com 1 52->67         started        69 conhost.exe 52->69         started        process21 signatures22 140 Uses ping.exe to sleep 54->140 73 PING.EXE 54->73         started        76 PING.EXE 57->76         started        142 Uses cmd line tools excessively to alter registry or file data 59->142 78 reg.exe 59->78         started        80 cmd.exe 71->80         started        82 cmd.exe 71->82         started        84 powershell.exe 71->84         started        86 mode.com 71->86         started        process23 dnsIp24 126 activated.win 104.21.24.156 CLOUDFLARENETUS United States 73->126
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-08-07 17:10:55 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
15 of 24 (62.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpzal5t7ghtsciaozf6xlxwsrh4bvcu35hkjdd4fzfixgiqmzrka._file
Verdict:
malicious
Label(s):
admintool_xenarmor_paswordrecovery
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250808-3jqmvavpw6/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2539d6d3-a927-4a43-a926-f23a43de9512
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/abf205f67f31/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:botnet_plaintext_c2
Create hunting rule
Author:cip
Description:Attempts to match at least some of the strings used in some botnet variants which use plaintext communication protocols.
Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:golang_bin_JCorn_CSC846
Create hunting rule
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:HeavensGate
Create hunting rule
Author:kevoreilly
Description:Heaven's Gate: Switch from 32-bit to 64-mode
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi abf205f67f31e721200ec97d75ded289f81a8a9be9d4918f85c95173220ccc54

(this sample)

  
Link
https://tria.ge/250808-26xh8sem9x/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19770/

Comments