MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
SHA3-384 hash: 2d1466d97f39452a841c2fcfaa48368c1f84f9b370e8ec21238d3c6ab143664ff75bfcfb6a047aecf98904983075743b
SHA1 hash: 72b333fa37967c08eb0465336d065fb6de176e12
MD5 hash: a6192c79cd4cc1abe29d622239c85d9c
humanhash: island-early-asparagus-thirteen
File name:KmsSetup.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:9'396'224 bytes
First seen:2025-08-04 19:22:47 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:895Knh0oYK9EzUDslleG3OgT9g3dAUX6+n1i6jJMnwCgBoTapR:895KOo7CUDslQG3d92AUq+n1iwh4uR
Threatray 223 similar samples on MalwareBazaar
TLSH T12D9633525E824DA9C92E85F507231062C262BC577F57304B54BDFAAF2DBE3B10BA3B40
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder shim4-familygater-com


Avatar
iamaachum
https://tools-kms.sbs/?utm_source=kmsauto => https://top-site.online/?label=00dd38a2975f5e6a36b74725566fe42d and https://kmspico-download.celebritympg.com/ => https://detailu.pt/download/s/KmsSetup_X64_x86_2025.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
47
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
Rhadamanthys
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18880/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689108b50b4775fb213644b0
Tags:
xtreme shell sage
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/689108b132e61090868d0876/reports/6ec093c8-ab86-426c-91d1-b349f195e381/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1750080
Signature
Drops PE files to the user root directory
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1750080 Sample: KmsSetup.msi Startdate: 04/08/2025 Architecture: WINDOWS Score: 100 117 updatecheck34.activated.win 2->117 119 cloudflare-dns.com 2->119 121 activated.win 2->121 125 Found malware configuration 2->125 127 Malicious sample detected (through community Yara rule) 2->127 129 Yara detected HijackLoader 2->129 131 2 other signatures 2->131 13 msiexec.exe 101 61 2->13         started        16 svchost.exe 2->16         started        19 msiexec.exe 3 2->19         started        signatures3 process4 dnsIp5 101 C:\Users\user\AppData\Roaming\...\DriveTo.exe, PE32+ 13->101 dropped 103 C:\Users\user\AppData\Roaming\...\zstd.dll, PE32+ 13->103 dropped 105 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32+ 13->105 dropped 107 22 other files (none is malicious) 13->107 dropped 21 DriveTo.exe 28 13->21         started        109 127.0.0.1 unknown unknown 16->109 file6 process7 file8 85 C:\ProgramData\Unb_Fast\DriveTo.exe, PE32+ 21->85 dropped 87 C:\ProgramData\Unb_Fast\zstd.dll, PE32+ 21->87 dropped 89 C:\ProgramData\Unb_Fast\zlib1.dll, PE32+ 21->89 dropped 91 22 other files (none is malicious) 21->91 dropped 141 Found direct / indirect Syscall (likely to bypass EDR) 21->141 25 DriveTo.exe 23 21->25         started        signatures9 process10 file11 93 C:\Users\user\PrisModule.exe, PE32 25->93 dropped 95 C:\Users\user\AppData\Roaming\...\XPFix.exe, PE32 25->95 dropped 97 C:\Users\user\AppData\Roaming\...\444.bat, ASCII 25->97 dropped 99 15 other files (none is malicious) 25->99 dropped 143 Drops PE files to the user root directory 25->143 145 Found hidden mapped module (file has been removed from disk) 25->145 147 Maps a DLL or memory area into another process 25->147 149 Found direct / indirect Syscall (likely to bypass EDR) 25->149 29 cmd.exe 1 25->29         started        32 PrisModule.exe 25->32         started        35 XPFix.exe 25->35         started        signatures12 process13 dnsIp14 155 Uses ping.exe to sleep 29->155 157 Uses cmd line tools excessively to alter registry or file data 29->157 159 Uses ping.exe to check the status of other devices and networks 29->159 161 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 29->161 37 cmd.exe 1 29->37         started        40 conhost.exe 29->40         started        111 cloudflare-dns.com 104.16.248.249, 443, 49685, 49693 CLOUDFLARENETUS United States 32->111 113 shim2.zyraq.com 104.21.11.65, 443, 49698 CLOUDFLARENETUS United States 32->113 115 5 other IPs or domains 32->115 163 Switches to a custom stack to bypass stack traces 32->163 165 Found direct / indirect Syscall (likely to bypass EDR) 32->165 signatures15 process16 signatures17 137 Uses cmd line tools excessively to alter registry or file data 37->137 139 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 37->139 42 cmd.exe 1 37->42         started        45 cmd.exe 1 37->45         started        47 cmd.exe 1 37->47         started        49 17 other processes 37->49 process18 signatures19 151 Uses cmd line tools excessively to alter registry or file data 42->151 153 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 42->153 51 cmd.exe 42->51         started        54 cmd.exe 42->54         started        56 cmd.exe 42->56         started        68 23 other processes 42->68 58 cmd.exe 1 45->58         started        60 cmd.exe 1 45->60         started        62 powershell.exe 8 15 47->62         started        64 mode.com 1 49->64         started        66 conhost.exe 49->66         started        process20 signatures21 133 Uses ping.exe to sleep 51->133 70 PING.EXE 51->70         started        73 PING.EXE 54->73         started        135 Uses cmd line tools excessively to alter registry or file data 56->135 75 reg.exe 56->75         started        77 cmd.exe 68->77         started        79 cmd.exe 68->79         started        81 powershell.exe 68->81         started        83 mode.com 68->83         started        process22 dnsIp23 123 activated.win 104.21.24.156 CLOUDFLARENETUS United States 70->123
Score:
3%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-04 19:23:30 UTC
File Type:
Binary (Archive)
Extracted files:
56
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4quriqzgfvvz375wmg3n43v3uooqf34xjijm6674fv3qjkrynwbq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
Similar samples:
074e375a6c53828b222987489d5f5ac207df534d5b6e1decf579377bbdec6717
Rhadamanthys
49ef9e71394d2e271367f84ce0d1c48654f4e33c73bb106e79b78c7b11165448
Rhadamanthys
5d251fd02e2d0e0e9bd67dba8cd808b8f8011faee8bed973fb19254a99fa784a
Rhadamanthys
5e72de9f6789a9cda3df9f794ab3e26ff9b24611edf9e0f0cbc4d6a5d8e44bbb
Rhadamanthys
7cf95f58a0394fae9f65ec653b4779dc237a6cc0e88fcb6a477335e1cffd9392
Rhadamanthys
9b281695df053d218c1a3b4a5aa4d6a344467e48ad619af2f4c720b1d95f98c8
Rhadamanthys
b42256e6754cb643a01f720cbf4946fca672f9fadcf09c975497ca2d8c9d2325
Rhadamanthys
c108a671bd78a29b6ddac6013cce91c94627a8e4f4f8f6e84aa7e75be875ae82
Rhadamanthys
dfb7fd652369ad522db2bdfbb1a17017a22c57639329b5067a6bb457738ab324
Rhadamanthys
eecf73aec1df3ecf4a12ccb43aa38375ab65987f2e8ee9efb0e061052c319a05
Rhadamanthys
error
Rhadamanthys
+ 213 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250804-x32lkawnw3/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Embeds OpenSSL
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b9d25f51-73a8-4105-a37e-c66427dcbe05
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e4291443262d/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi e4291443262d6b9dffb661b6de6ebba39d02ef974a12cf7bfc2d7704aa386d83

(this sample)

  
Link
https://tria.ge/250804-xn3kbahk9s/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/18880/

Comments