MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Rhadamanthys


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf
SHA3-384 hash: 4981538737b0828a792a4a2411ece15ec5ba24e52446bd8e666eacf6a789dde7033bd25b6e9a00f4ff07a755e24c49df
SHA1 hash: 3db6681a868d253c07d936985f334174351525ec
MD5 hash: 22ae6d37b206d21a775c31df0b5160f9
humanhash: network-kansas-echo-texas
File name:KmsSetup_v1.1.msi
Download: download sample
Signature Rhadamanthys
Create hunting rule
File size:13'422'592 bytes
First seen:2025-08-26 12:35:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:+Uus1R0eu2SOEgEVcm0lmuXlMV4xFOaCp0xPCFf2:D54erjE70r1BLOaCp0x0
TLSH T124D63386C7A56FA5F63EA0384E9FA6528C8A2D53311094B96302FF397C334A15FD531B
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:HIjackLoader msi Rhadamanthys


Avatar
iamaachum
https://abctshirt.com/kms-soft/ => https://mega.nz/folder/qI9gkRzY#j5YAG0rV1DVKcCONovOBLQ

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
ES ES
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23656/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68adaa2b3e988eb6ab82bfff
Tags:
xtreme rapid shell sage
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf
Verdict:
Malicious
File Type:
msi
First seen:
2025-08-26T02:13:00Z UTC
Last seen:
2025-08-26T02:13:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf/results?tab=lookup
Result
Threat name:
HijackLoader, RHADAMANTHYS
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1765372
Signature
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found malware configuration
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected HijackLoader
Yara detected Powershell download and execute
Yara detected RHADAMANTHYS Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1765372 Sample: KmsSetup_v1.1.msi Startdate: 26/08/2025 Architecture: WINDOWS Score: 100 109 updatecheck34.activated.win 2->109 111 twc.trafficmanager.net 2->111 113 20 other IPs or domains 2->113 135 Suricata IDS alerts for network traffic 2->135 137 Found malware configuration 2->137 139 Malicious sample detected (through community Yara rule) 2->139 141 5 other signatures 2->141 13 msiexec.exe 182 94 2->13         started        16 svchost.exe 2->16         started        19 msiexec.exe 3 2->19         started        signatures3 process4 dnsIp5 99 C:\Users\user\AppData\...\T_Pulse64.exe, PE32+ 13->99 dropped 101 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 13->101 dropped 103 C:\Users\user\AppData\Roaming\...\mfc140u.dll, PE32+ 13->103 dropped 105 25 other files (none is malicious) 13->105 dropped 21 T_Pulse64.exe 19 13->21         started        107 127.0.0.1 unknown unknown 16->107 file6 process7 file8 83 C:\ProgramData\FEStool\T_Pulse64.exe, PE32+ 21->83 dropped 85 C:\ProgramData\FEStool\vcruntime140_1.dll, PE32+ 21->85 dropped 87 C:\ProgramData\FEStool\mfc140u.dll, PE32+ 21->87 dropped 89 10 other files (none is malicious) 21->89 dropped 143 Found direct / indirect Syscall (likely to bypass EDR) 21->143 25 T_Pulse64.exe 9 21->25         started        29 cmd.exe 21->29         started        31 cmd.exe 21->31         started        signatures9 process10 file11 91 C:\Users\user\AppData\Roaming\...\Chime.exe, PE32 25->91 dropped 93 C:\Users\user\AppData\...\RadiGateway32.exe, PE32 25->93 dropped 95 C:\Users\user\AppData\Roaming\...\MAS_seo.cmd, ASCII 25->95 dropped 97 C:\Users\user\AppData\Local\...\D3242B0.tmp, PE32 25->97 dropped 151 Found hidden mapped module (file has been removed from disk) 25->151 153 Maps a DLL or memory area into another process 25->153 155 Found direct / indirect Syscall (likely to bypass EDR) 25->155 33 cmd.exe 1 25->33         started        36 RadiGateway32.exe 25->36         started        39 Chime.exe 25->39         started        signatures12 process13 dnsIp14 123 Uses ping.exe to sleep 33->123 125 Uses cmd line tools excessively to alter registry or file data 33->125 127 Uses ping.exe to check the status of other devices and networks 33->127 129 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 33->129 41 cmd.exe 1 33->41         started        44 conhost.exe 33->44         started        115 cloudflare-dns.com 104.16.249.249, 443, 49687, 49695 CLOUDFLARENETUS United States 36->115 117 shim1.kpgbody.com 104.21.13.73, 443, 49690 CLOUDFLARENETUS United States 36->117 119 2 other IPs or domains 36->119 131 Switches to a custom stack to bypass stack traces 36->131 133 Found direct / indirect Syscall (likely to bypass EDR) 36->133 signatures15 process16 signatures17 147 Uses cmd line tools excessively to alter registry or file data 41->147 149 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 41->149 46 cmd.exe 1 41->46         started        49 cmd.exe 1 41->49         started        51 cmd.exe 1 41->51         started        53 17 other processes 41->53 process18 signatures19 157 Uses cmd line tools excessively to alter registry or file data 46->157 159 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 46->159 55 cmd.exe 46->55         started        58 cmd.exe 46->58         started        60 cmd.exe 46->60         started        72 17 other processes 46->72 62 cmd.exe 1 49->62         started        64 cmd.exe 1 49->64         started        66 powershell.exe 15 51->66         started        68 mode.com 1 53->68         started        70 conhost.exe 53->70         started        process20 signatures21 145 Uses ping.exe to sleep 55->145 74 PING.EXE 55->74         started        77 PING.EXE 58->77         started        79 powershell.exe 60->79         started        81 mode.com 72->81         started        process22 dnsIp23 121 activated.win 104.21.24.156 CLOUDFLARENETUS United States 74->121
Score:
26%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout SVG
Link:
https://app.malva.re/file/22ae6d37b206d21a775c31df0b5160f9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf/
Threat name:
Win64.Downloader.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-08-26 11:58:12 UTC
File Type:
Binary (Archive)
Extracted files:
3363
AV detection:
12 of 24 (50.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ssesvjwnsibomro2zvf62lzqbrfwcdg37t3lyzqs6ud4wn5w67q._file
Verdict:
malicious
Label(s):
rhadamanthys
Create hunting rule
hijackloader
Create hunting rule
Similar samples:
error
Rhadamanthys
Result
Malware family:
rhadamanthys
Create hunting rule
Score:
  10/10
Tags:
family:hijackloader family:rhadamanthys defense_evasion discovery execution loader persistence privilege_escalation ransomware stealer
Link:
https://tria.ge/reports/250826-psxwmafp9z/
Behaviour
Checks SCSI registry key(s)
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Suspicious use of SetThreadContext
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Modifies trusted root certificate store through registry
Detects HijackLoader (aka IDAT Loader)
Detects Rhadamanthys Payload
HijackLoader
Hijackloader family
Rhadamanthys
Rhadamanthys family
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/ad0ce6f1-cdb6-4105-975e-d6720828fc4a
Malware family:
Rhadamanthys
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fca44955366c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:Excel_Hidden_Macro_Sheet
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Rhadamanthys

Microsoft Software Installer (MSI) msi fca44955366c9017322ed66a5f697980625b0866dfe7b5e33097a83e59bdb7bf

(this sample)

  
Link
https://tria.ge/250826-pay1zaysgz/behavioral2
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23656/

Comments