MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
SHA3-384 hash: b61b52ee978bf842483a05e3a4887adb1ea15715fb1ad2797ed808dc8a5711455271962d745ea1aa4704bdfb40c59f20
SHA1 hash: 98276b30afb00ea041b2b5b922eff7e917b620ea
MD5 hash: 9cf0093a76065c3c65c1dfbbb76fa82b
humanhash: ack-white-muppet-blossom
File name:ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:36'646'912 bytes
First seen:2025-03-19 11:30:27 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:pCLRK7wXCr4zP7pRv/dpO26Aj1Izj6T6Da9Bm:4LM7Vr4zlJ626A8Na9B
TLSH T1F3873333AADB8A35D7DF03B341A6415892DA2D150B7754A43026F8D901BB4E78BDE38F
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:msi Rhadamanthys

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67dab27a115e7b48b48e9f32
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context fingerprint installer keylogger wix
Link:
https://www.filescan.io/uploads/67daab00dab9a7b6c596151f/reports/b0c6d135-18ae-4d56-8192-8e1740369c91/overview
Verdict:
Suspicious
Labled as:
Generik.BKFKPRE trojan
Link:
https://www.hybrid-analysis.com/sample/ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1642918
Signature
Antivirus detection for dropped file
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found pyInstaller with non standard icon
Injects code into the Windows Explorer (explorer.exe)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1642918 Sample: WCRz05ZEx4.msi Startdate: 19/03/2025 Architecture: WINDOWS Score: 100 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 Yara detected AntiVM3 2->59 61 Joe Sandbox ML detected suspicious sample 2->61 9 msiexec.exe 78 38 2->9         started        12 msiexec.exe 3 2->12         started        process3 file4 47 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\WiseTurbo.exe, PE32 9->49 dropped 14 WiseTurbo.exe 5 9->14         started        process5 file6 51 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 14->51 dropped 53 C:\Users\user\AppData\Local\...\WiseTurbo.exe, PE32 14->53 dropped 81 Switches to a custom stack to bypass stack traces 14->81 83 Found direct / indirect Syscall (likely to bypass EDR) 14->83 18 WiseTurbo.exe 3 14->18         started        signatures7 process8 file9 35 C:\Users\user\AppData\Local\...\installer.exe, PE32+ 18->35 dropped 63 Maps a DLL or memory area into another process 18->63 65 Switches to a custom stack to bypass stack traces 18->65 67 Found direct / indirect Syscall (likely to bypass EDR) 18->67 22 installer.exe 16 18->22         started        26 cmd.exe 2 18->26         started        signatures10 process11 file12 37 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 22->37 dropped 39 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 22->39 dropped 41 C:\Users\user\AppData\Local\...\python39.dll, PE32+ 22->41 dropped 45 11 other malicious files 22->45 dropped 69 Found pyInstaller with non standard icon 22->69 28 installer.exe 22->28         started        43 C:\Users\user\AppData\Local\Temp\vbcpe, PE32 26->43 dropped 71 Injects code into the Windows Explorer (explorer.exe) 26->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 26->73 75 Writes to foreign memory regions 26->75 77 2 other signatures 26->77 30 explorer.exe 26->30         started        33 conhost.exe 26->33         started        signatures13 process14 signatures15 79 Switches to a custom stack to bypass stack traces 30->79
Score:
58%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xklpd2ohatpsqmr4iyf6hrrhwxddruv5j7foq2pse4jb2dp7lvra._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:rhadamanthys discovery persistence privilege_escalation pyinstaller stealer
Link:
https://tria.ge/reports/250319-nmrlzszkv7/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Detects Pyinstaller
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Detects Rhadamanthys payload
Rhadamanthys
Rhadamanthys family
Suspicious use of NtCreateUserProcessOtherParentProcess
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c195100-67e1-4ba7-a1e5-9a4ab5b98af7
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ba96f1e9c704/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ba96f1e9c704df28323c460be3c627b5c638d2bd4fcae869f227121d0dff5d62

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments