MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
SHA3-384 hash: ae424798306e8d43ba420d46ce6b8705f75c5479d50a3df295875f21dacd09f0ab22f1e0f6b09fe7c77a5d6695caf31f
SHA1 hash: b21b0f9d06153fadb795bf94e5e3f8657cd3a578
MD5 hash: 3521d1b8f6281ac23134b0bf772792cf
humanhash: california-indigo-california-mobile
File name:KmsSetup.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:5'054'464 bytes
First seen:2025-08-02 14:25:25 UTC
Last seen:2025-08-03 19:27:15 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:a43ukWzGlKXquhLz1jIKTutGvF4jBerU8HRESPxHAx6GVBqOrj+6VzNu:HtgiN8FiqU8CyHs6irjLVzN
Threatray 287 similar samples on MalwareBazaar
TLSH T159363351F7D57E43E8543EBDA52CF285E1C8FDC08B069AD022D6327590FEC66A13BA84
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder shim4-familygater-com


Avatar
iamaachum
https://tools-kms.sbs/?utm_source=kmsauto => https://top-site.online/?label=00dd38a2975f5e6a36b74725566fe42d

Intelligence

File Origin
# of uploads :
2
# of downloads :
42
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18462/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=688e1fecaf3050dc8d338727
Tags:
xtreme rapid shell sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/688e1fe29dbaf6e4b2210f4c/reports/81505f1d-22f5-4640-b15c-ec51b19f99e3/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1749073
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1749073 Sample: KmsSetup.msi Startdate: 02/08/2025 Architecture: WINDOWS Score: 100 108 updatecheck34.activated.win 2->108 110 cloudflare-dns.com 2->110 112 activated.win 2->112 130 Found malware configuration 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 Yara detected HijackLoader 2->134 136 2 other signatures 2->136 13 msiexec.exe 81 41 2->13         started        16 msiexec.exe 3 2->16         started        signatures3 process4 file5 100 C:\Users\user\AppData\Roaming\...\AdvaHub.exe, PE32+ 13->100 dropped 102 C:\Users\user\...\lib_TSDeviceViewerSDK.dll, PE32+ 13->102 dropped 104 C:\Users\user\...\lib_TSCommunication_sdk.dll, PE32+ 13->104 dropped 106 2 other files (none is malicious) 13->106 dropped 18 AdvaHub.exe 8 13->18         started        process6 file7 84 C:\ProgramData\...\AdvaHub.exe, PE32+ 18->84 dropped 86 C:\ProgramData\...\lib_TSDeviceViewerSDK.dll, PE32+ 18->86 dropped 88 C:\...\lib_TSCommunication_sdk.dll, PE32+ 18->88 dropped 90 2 other files (none is malicious) 18->90 dropped 138 Found direct / indirect Syscall (likely to bypass EDR) 18->138 22 AdvaHub.exe 23 18->22         started        signatures8 process9 file10 92 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 22->92 dropped 94 C:\ProgramData\UltFabric.exe, PE32 22->94 dropped 96 C:\Users\user\AppData\Roaming\...\444.bat, ASCII 22->96 dropped 98 15 other files (none is malicious) 22->98 dropped 140 Found hidden mapped module (file has been removed from disk) 22->140 142 Maps a DLL or memory area into another process 22->142 144 Found direct / indirect Syscall (likely to bypass EDR) 22->144 26 cmd.exe 1 22->26         started        29 UltFabric.exe 22->29         started        32 XPFix.exe 22->32         started        signatures11 process12 dnsIp13 150 Uses ping.exe to sleep 26->150 152 Uses cmd line tools excessively to alter registry or file data 26->152 154 Uses ping.exe to check the status of other devices and networks 26->154 156 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 26->156 34 cmd.exe 1 26->34         started        37 conhost.exe 26->37         started        116 cloudflare-dns.com 104.16.248.249, 443, 49721, 49723 CLOUDFLARENETUS United States 29->116 118 104.21.11.65, 443, 49727 CLOUDFLARENETUS United States 29->118 120 6 other IPs or domains 29->120 158 Switches to a custom stack to bypass stack traces 29->158 160 Found direct / indirect Syscall (likely to bypass EDR) 29->160 signatures14 process15 signatures16 126 Uses cmd line tools excessively to alter registry or file data 34->126 128 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 34->128 39 cmd.exe 1 34->39         started        42 cmd.exe 1 34->42         started        44 reg.exe 1 34->44         started        46 17 other processes 34->46 process17 signatures18 146 Uses cmd line tools excessively to alter registry or file data 39->146 148 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 39->148 48 cmd.exe 39->48         started        51 cmd.exe 39->51         started        53 cmd.exe 39->53         started        65 23 other processes 39->65 55 cmd.exe 1 42->55         started        57 cmd.exe 1 42->57         started        59 conhost.exe 44->59         started        61 powershell.exe 8 15 46->61         started        63 mode.com 1 46->63         started        process19 signatures20 122 Uses ping.exe to sleep 48->122 67 PING.EXE 48->67         started        70 PING.EXE 51->70         started        124 Uses cmd line tools excessively to alter registry or file data 53->124 72 reg.exe 53->72         started        74 conhost.exe 59->74         started        76 cmd.exe 65->76         started        78 cmd.exe 65->78         started        80 powershell.exe 65->80         started        82 mode.com 65->82         started        process21 dnsIp22 114 activated.win 104.21.24.156 CLOUDFLARENETUS United States 67->114
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939/
Verdict:
Malicious
Threat:
Trojan.Win32.UDP
Link:
https://tip.neiki.dev/file/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-02 14:25:39 UTC
File Type:
Binary (Archive)
Extracted files:
12
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=37jgtlc4zmxg66vkql7fgszd6o5h6c5htncxtuc36qskji5dte4q._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
Similar samples:
068ceb2800e734fa81313bceb7d745fd7a238d189d084ef3a585950ed98c6b2e
Rhadamanthys
3fb23f5d7b8b015a5b280010689a039431542f974ada04fc0da794a72769740e
Rhadamanthys
5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Rhadamanthys
8b2b04e59172e79af57027094c4724b9628f33806a44a3477bf28a7f57adb30a
Rhadamanthys
ad3ea6a4067d44f0183645de77363c1bf86b8ea5fd0be55f5611cc408aa4a0a8
Rhadamanthys
b9b8cd1ede74c198e931d26c1dab8e5dd1b920a1662bb89b866ab65149bc8e87
Rhadamanthys
db68b9c3c29befb482ae40bd5fa5291a95f22855960d452e5922722b44d3fb51
Rhadamanthys
dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939
Rhadamanthys
error
Rhadamanthys
fed32b82c6d1ba47499e3ebda887c016681eb840662f2003be9605dcaa00c4d0
Rhadamanthys
+ 277 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250802-rrk7jshr3y/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b89ad4e8-91bb-4827-928b-ef15ca12b32e
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/dfd269ac5ccb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi dfd269ac5ccb2e6f7aaa82fe534b23f3ba7f0ba79b4579d05bf424a4a3a39939

(this sample)

  
Link
https://tria.ge/250802-reffja1wb1/behavioral3
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18462/

Comments