MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51
SHA3-384 hash: 4081a4e35cb374510f04eb5e53bbc47eafad0e7346e9a1b2a8d2619a4eb6e628d2c8948f10a24248e7c4645d9669b3de
SHA1 hash: 77ef019a3f37fdc2d379ad12a1707c24c61b02f7
MD5 hash: f409dab4645f4e87fd9c0a34552e9fd1
humanhash: snake-blue-vegan-carbon
File name:KMSPico_Setup.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:3'817'472 bytes
First seen:2025-07-27 17:37:27 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:v6FDHaYEhtQUylFQdXbmurcEu8AsPlN6uOwIUjfU6oJT:SFDHaYJUylFQLrcEu8AweSH1E
TLSH T15806336726944A6BDC968A33D7AD747C84378FF0C305AA4B6EA6F31D1D733882887D11
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse msi rhada-babynamebanner-com Rhadamanthys ShadowLadder


Avatar
iamaachum
https://github.com/Raad05/windows-activation/archive/refs/heads/main.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
35
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/17195/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6886640daf3050dc8d319d0c
Tags:
shellcode overt spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/6886640b01e814b1f00a0cd0/reports/8cb83688-966b-4d9f-a37e-d976b7ba9fae/overview
Verdict:
Malicious
Labled as:
TrojanDownloader.Rugmi
Link:
https://www.hybrid-analysis.com/sample/db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HijackLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1745058
Signature
Contains functionality to automate explorer (e.g. start an application)
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1745058 Sample: KMSPico_Setup.msi Startdate: 27/07/2025 Architecture: WINDOWS Score: 100 106 updatecheck34.activated.win 2->106 108 activated.win 2->108 112 Malicious sample detected (through community Yara rule) 2->112 114 Multi AV Scanner detection for dropped file 2->114 116 Multi AV Scanner detection for submitted file 2->116 118 3 other signatures 2->118 14 msiexec.exe 79 39 2->14         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 100 C:\Users\user\AppData\...\wblindp2.dll, PE32 14->100 dropped 102 C:\Users\user\AppData\...\SdAppServices.dll, PE32 14->102 dropped 104 C:\Users\user\AppData\...lectroEval.exe, PE32 14->104 dropped 19 ElectroEval.exe 2 31 14->19         started        process6 file7 86 C:\ProgramData\HFWPower_test\wblindp2.dll, PE32 19->86 dropped 88 C:\ProgramData\...lectroEval.exe, PE32 19->88 dropped 90 C:\ProgramData\...\SdAppServices.dll, PE32 19->90 dropped 120 Contains functionality to automate explorer (e.g. start an application) 19->120 122 Switches to a custom stack to bypass stack traces 19->122 124 Found direct / indirect Syscall (likely to bypass EDR) 19->124 23 ElectroEval.exe 26 19->23         started        signatures8 process9 file10 92 C:\Users\user\VirtualPr86.exe, PE32 23->92 dropped 94 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 23->94 dropped 96 api-ms-win-core-localization-l1-2-0.dll, PE32 23->96 dropped 98 15 other malicious files 23->98 dropped 138 Contains functionality to automate explorer (e.g. start an application) 23->138 140 Drops PE files to the user root directory 23->140 142 Found hidden mapped module (file has been removed from disk) 23->142 144 3 other signatures 23->144 27 cmd.exe 1 23->27         started        29 VirtualPr86.exe 23->29         started        32 XPFix.exe 23->32         started        signatures11 process12 signatures13 34 cmd.exe 1 27->34         started        36 conhost.exe 27->36         started        150 Switches to a custom stack to bypass stack traces 29->150 152 Found direct / indirect Syscall (likely to bypass EDR) 29->152 process14 process15 38 cmd.exe 1 34->38         started        41 conhost.exe 34->41         started        signatures16 130 Uses ping.exe to sleep 38->130 132 Uses cmd line tools excessively to alter registry or file data 38->132 134 Uses ping.exe to check the status of other devices and networks 38->134 136 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 38->136 43 cmd.exe 38->43         started        46 cmd.exe 1 38->46         started        48 cmd.exe 1 38->48         started        50 17 other processes 38->50 process17 signatures18 146 Uses cmd line tools excessively to alter registry or file data 43->146 148 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 43->148 52 cmd.exe 43->52         started        55 cmd.exe 43->55         started        57 cmd.exe 43->57         started        69 23 other processes 43->69 59 cmd.exe 1 46->59         started        61 cmd.exe 1 46->61         started        63 powershell.exe 15 48->63         started        65 mode.com 50->65         started        67 conhost.exe 50->67         started        process19 signatures20 126 Uses ping.exe to sleep 52->126 71 PING.EXE 52->71         started        74 PING.EXE 55->74         started        128 Uses cmd line tools excessively to alter registry or file data 57->128 76 reg.exe 57->76         started        78 cmd.exe 69->78         started        80 cmd.exe 69->80         started        82 powershell.exe 69->82         started        84 mode.com 69->84         started        process21 dnsIp22 110 activated.win 104.21.24.156 CLOUDFLARENETUS United States 71->110
Score:
83%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51/
Threat name:
Win32.Trojan.Kepavll
Create hunting rule
Status:
Malicious
First seen:
2025-07-27 01:04:00 UTC
File Type:
Binary (Archive)
Extracted files:
89
AV detection:
17 of 23 (73.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3nultq6ctpx3javoic6v7jjjdkk7ekcvsyguklszejzcwrgt7niq._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250727-v7vmpszpz8/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Checks computer location settings
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/292e7e22-30ed-4a88-a383-f38093a048f1
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51

(this sample)

  
Link
https://tria.ge/250727-vnfdnszxgt/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/17195/

Comments