MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f
SHA3-384 hash: a6afa2a7ac2ec39f44334b581ccbe71f80149976a5b4df8c26b2f6e9b8623f11bf3a890e0cd016a9e80abb4730801de9
SHA1 hash: a32070ec751d5cf766c9e9c9147952ca52bd2333
MD5 hash: 3014864c047a51a35c8095b8072b3cac
humanhash: spaghetti-king-eighteen-berlin
File name:EnderForge 2.1.1.msi
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:91'725'824 bytes
First seen:2025-10-21 15:56:22 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:yqIDxfodpG6sLf9SGAzX0rvrHjh7XJXQ5zaOvHNE67UKRSySwHq9t2TV:NIDyPG6QlSGAj0rvr5XRvItpUKRSaY2R
TLSH T1051833A9A24378B6E476537D5B6881FB53171CD3A53025BBBC73B8DFE2707200199A2C
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:GenesisStealer msi stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
51
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
no reply from clamd
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f7ad6d3edd081eba406047
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/68f7ad443a79800405eec24e/reports/25094353-bd38-48e7-bb63-7ff4ecb750de/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799251
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799251 Sample: EnderForge 2.1.1.msi Startdate: 21/10/2025 Architecture: WINDOWS Score: 100 61 ip-api.com 2->61 63 github.com 2->63 65 discord.com 2->65 83 Sigma detected: Capture Wi-Fi password 2->83 85 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->85 87 Joe Sandbox ML detected suspicious sample 2->87 89 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->89 9 msiexec.exe 190 175 2->9         started        12 msiexec.exe 14 2->12         started        signatures3 process4 file5 53 C:\Users\user\AppData\...nderForge.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->55 dropped 57 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->57 dropped 59 6 other files (none is malicious) 9->59 dropped 15 EnderForge.exe 12 9->15         started        111 Drops large PE files 12->111 signatures6 process7 dnsIp8 69 ip-api.com 208.95.112.1, 49691, 80 TUT-ASUS United States 15->69 71 github.com 140.82.114.3, 443, 49696 GITHUBUS United States 15->71 73 discord.com 162.159.137.232, 443, 49694, 49695 CLOUDFLARENETUS United States 15->73 49 C:\Users\user\AppData\...\cookies.sqlite-shm, data 15->49 dropped 51 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->51 dropped 75 Suspicious powershell command line found 15->75 77 Obfuscated command line found 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 2 other signatures 15->81 20 cmd.exe 1 15->20         started        23 powershell.exe 15->23         started        25 cmd.exe 15->25         started        27 84 other processes 15->27 file9 signatures10 process11 dnsIp12 91 Uses cmd line tools excessively to alter registry or file data 20->91 93 Uses netsh to modify the Windows network and firewall settings 20->93 95 Tries to harvest and steal WLAN passwords 20->95 30 conhost.exe 20->30         started        32 chcp.com 1 20->32         started        97 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->97 99 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 23->99 101 Queries memory information (via WMI often done to detect virtual machines) 23->101 34 conhost.exe 23->34         started        103 Queries sensitive system registry key value via command line tool 25->103 36 conhost.exe 25->36         started        38 reg.exe 25->38         started        67 chrome.cloudflare-dns.com 162.159.61.3, 443, 49692, 57664 CLOUDFLARENETUS United States 27->67 105 Excessive usage of taskkill to terminate processes 27->105 107 Loading BitLocker PowerShell Module 27->107 40 powershell.exe 27->40         started        43 taskkill.exe 1 27->43         started        45 taskkill.exe 1 27->45         started        47 108 other processes 27->47 signatures13 process14 signatures15 109 Loading BitLocker PowerShell Module 40->109
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f
Gathering data
Verdict:
Malicious
Threat:
NetworkReferences.Malware.Generic
Link:
https://tip.neiki.dev/file/04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=atbdkbl4znj4extfx4p6yc776h424ltq6eazavnzxdvsqnm4ebpq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251021-tdtb4swner/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Reads user/profile data of web browsers
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
Loads dropped DLL
Checks computer location settings
Enumerates processes with tasklist
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://hybrid-analysis.com/sample/04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f/68f7aaabd6e7ef082309364b

Comments