MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 13


Intelligence 13 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3
SHA3-384 hash: 37936daac8ac325abb42937e639e7297eac9437e7a31b88371412c75b32f008ac21ba40231cbe96174df48f940b9cb1a
SHA1 hash: 07d44d6044d98244e79d0954a85b6674e5a73ec1
MD5 hash: ce31871091997a0c6b52598f376d7a4d
humanhash: alaska-hydrogen-saturn-alaska
File name:KmsSetup_v1.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:11'202'560 bytes
First seen:2025-08-14 13:58:10 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:mpJsqqghGt7njtzbIROfBCQOAG9mCYO5t54Es0LQjHlCCjEw1ziM3FoMPpI59ZI:wJThhGvzcE0nAGbYOQ2QjHlCC3wMVoMx
Threatray 104 similar samples on MalwareBazaar
TLSH T1F9B63350B2F24E63D1C244BA866E42BA9FAD8C5B035D9FDB230F366204B75D861B358D
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:GhostPulse HIjackLoader msi Rhadamanthys ShadowLadder


Avatar
iamaachum
https://kms-download.freefugga.com/ => https://app.box.com/shared/static/lewstso2w9wzgumme91ylms4drucbwzf.zip

Intelligence

File Origin
# of uploads :
1
# of downloads :
55
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21417/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=689deb97b0026751df5c62d5
Tags:
shellcode virus spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/689deba39ef4d2ff7cfd0f30/reports/0bca3204-1b0f-4443-803c-281f054445fc/overview
Verdict:
Suspicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1757069
Signature
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1757069 Sample: KmsSetup_v1.1.msi Startdate: 14/08/2025 Architecture: WINDOWS Score: 100 120 updatecheck34.activated.win 2->120 122 activated.win 2->122 124 cloudflare-dns.com 2->124 132 Found malware configuration 2->132 134 Malicious sample detected (through community Yara rule) 2->134 136 Multi AV Scanner detection for dropped file 2->136 138 4 other signatures 2->138 14 msiexec.exe 90 50 2->14         started        17 svchost.exe 2->17         started        20 msiexec.exe 3 2->20         started        signatures3 process4 dnsIp5 104 C:\Users\user\AppData\...\sqlite3_plex.dll, PE32 14->104 dropped 106 C:\Users\user\AppData\Local\...\nghttp2.dll, PE32 14->106 dropped 108 C:\Users\user\AppData\Local\...\libssl-3.dll, PE32 14->108 dropped 110 11 other malicious files 14->110 dropped 22 MatF.exe 17 14->22         started        118 127.0.0.1 unknown unknown 17->118 file6 process7 file8 88 C:\ProgramData\omhcheck\MatF.exe, PE32 22->88 dropped 90 C:\ProgramData\omhcheck\sqlite3_plex.dll, PE32 22->90 dropped 92 C:\ProgramData\omhcheck\nghttp2.dll, PE32 22->92 dropped 94 11 other files (none is malicious) 22->94 dropped 140 Switches to a custom stack to bypass stack traces 22->140 142 Found direct / indirect Syscall (likely to bypass EDR) 22->142 26 MatF.exe 9 22->26         started        signatures9 process10 file11 96 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 26->96 dropped 98 C:\Users\user\AppData\...\FusNavigator.exe, PE32 26->98 dropped 100 C:\Users\user\AppData\Local\...\CDA5A01.tmp, PE32 26->100 dropped 102 C:\Users\user\AppData\Roaming\...\MAS_seo.cmd, ASCII 26->102 dropped 154 Found hidden mapped module (file has been removed from disk) 26->154 156 Maps a DLL or memory area into another process 26->156 158 Switches to a custom stack to bypass stack traces 26->158 160 Found direct / indirect Syscall (likely to bypass EDR) 26->160 30 cmd.exe 1 26->30         started        32 FusNavigator.exe 26->32         started        36 Chime.exe 26->36         started        signatures12 process13 dnsIp14 38 cmd.exe 1 30->38         started        40 conhost.exe 30->40         started        112 cloudflare-dns.com 104.16.249.249, 443, 49702, 49705 CLOUDFLARENETUS United States 32->112 114 shim1.phanganhub.com 104.21.16.1, 443, 49706 CLOUDFLARENETUS United States 32->114 116 4 other IPs or domains 32->116 128 Switches to a custom stack to bypass stack traces 32->128 130 Found direct / indirect Syscall (likely to bypass EDR) 32->130 signatures15 process16 process17 42 cmd.exe 1 38->42         started        45 conhost.exe 38->45         started        signatures18 146 Uses ping.exe to sleep 42->146 148 Uses cmd line tools excessively to alter registry or file data 42->148 150 Uses ping.exe to check the status of other devices and networks 42->150 152 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 42->152 47 cmd.exe 1 42->47         started        50 cmd.exe 1 42->50         started        52 cmd.exe 1 42->52         started        54 17 other processes 42->54 process19 signatures20 162 Uses cmd line tools excessively to alter registry or file data 47->162 164 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 47->164 56 cmd.exe 47->56         started        59 cmd.exe 47->59         started        61 cmd.exe 47->61         started        73 17 other processes 47->73 63 cmd.exe 1 50->63         started        65 cmd.exe 1 50->65         started        67 powershell.exe 8 15 52->67         started        69 mode.com 1 54->69         started        71 conhost.exe 54->71         started        process21 signatures22 144 Uses ping.exe to sleep 56->144 75 PING.EXE 56->75         started        78 PING.EXE 59->78         started        80 cmd.exe 61->80         started        82 cmd.exe 61->82         started        84 powershell.exe 73->84         started        86 mode.com 73->86         started        process23 dnsIp24 126 activated.win 104.21.24.156 CLOUDFLARENETUS United States 75->126
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3/
Verdict:
Malicious
Threat:
Family.RHADAMANTHYS
Link:
https://tip.neiki.dev/file/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-14 13:57:20 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=47kds7ucui4w5nwwph2zkipd3nzwzgjwcbbibiww6rrmflaf7pjq._file
Verdict:
malicious
Label(s):
hijackloader
Create hunting rule
rhadamanthys
Create hunting rule
admintool_xenarmor_paswordrecovery
Create hunting rule
Similar samples:
018f9ba428f4e3360bb6ee7c42f5f475bda12ae71a430d603a4a5e8ea94fdcf9
Rhadamanthys
1f5ea10c7173d881f9c3a26f6ec175f2c2dac8d34877dc00f55142af47933e20
Rhadamanthys
29ecf946a40c89dfae84770c96f483b151a636202ceaab43b1c8008f2adedbea
Rhadamanthys
47767a97c828554f2092c5e2fc505e103ff42114cd75071fd69e16111037a83a
Rhadamanthys
6b5266685f3fe4ca9e4d7cf5b16b26fcae1c215eb9933eb471240d4daaecdaf5
Rhadamanthys
7908c78041ece2129127d26500321b09f094e41c66f535454884bb4d79573b9b
Rhadamanthys
8b6cc989867108154391335d55fc5267007706203ca4eadab8ef5fe0cad10fbf
Rhadamanthys
925a447b319c05bc4ebe88b3a4404a84351e01026ef4de8d65bed475c9859be9
Rhadamanthys
c62065757e9307c9eac9ccb34fb6ba3a7e296056c333b4b70b7508b272c98c26
Rhadamanthys
error
Rhadamanthys
+ 94 additional samples on MalwareBazaar
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250814-q95s8swwbs/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in Windows directory
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4000bc96-7102-4dbc-af1e-86c332042f45
Malware family:
GHOSTPULSE
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e7d4397e82a2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi e7d4397e82a2396eb6d679f59521e3db736c9936104280a2d6f462c2ac05fbd3

(this sample)

  
Link
https://tria.ge/250814-qvdq7shm4y/behavioral1
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21417/

Comments