MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
SHA3-384 hash: be627f8d2a458ad32155c7d7751f165d0d4bf26d62f573d7f05ce98043c553c0e05e39a6b6f049bf11bbe5973ed7bf61
SHA1 hash: e313aa90d80468bbe18cec37560764ffa8a031d2
MD5 hash: 6d85f132565459c01a86d3e2a6952e81
humanhash: football-foxtrot-carolina-virginia
File name:MavorTools.msi
Download: download sample
File size:92'733'440 bytes
First seen:2025-05-20 17:39:53 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:1H7//eZ3Rah+/fUpQuQXI9YuUbQpaTn/0WSLAwu7Bz9pzvd+indDAtbX374RPXd0:8tRahwcpQlYGZbZJzvd+SdUZX374s0w
TLSH T1781833A4490B0FF6C0C6867DF17F0D54C26B2C29C7666E332EB37A4E197EB450DA6099
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682cbe95c28c67d6664265a9
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/682cbeabc609634bd7cc00b0/reports/d38bfcd4-09fb-4cc3-a949-26a754361081/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1695306
Signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates an undocumented autostart registry key
Drops large PE files
Drops PE files to the startup folder
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Overwrites Mozilla Firefox settings
Performs DNS queries to domains with low reputation
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Capture Wi-Fi password
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal communication platform credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695306 Sample: MavorTools.msi Startdate: 20/05/2025 Architecture: WINDOWS Score: 100 80 bamboulacity.nova-blight.xyz 2->80 82 www.google.com 2->82 84 17 other IPs or domains 2->84 96 Sigma detected: Capture Wi-Fi password 2->96 98 Sigma detected: WScript or CScript Dropper 2->98 100 Joe Sandbox ML detected suspicious sample 2->100 104 2 other signatures 2->104 10 msiexec.exe 171 156 2->10         started        13 msiexec.exe 14 2->13         started        16 svchost.exe 2->16         started        18 7 other processes 2->18 signatures3 102 Performs DNS queries to domains with low reputation 80->102 process4 dnsIp5 68 C:\Users\user\AppData\...\MavorTools.exe, PE32+ 10->68 dropped 70 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 10->70 dropped 72 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 10->72 dropped 74 10 other files (none is malicious) 10->74 dropped 21 MavorTools.exe 1 35 10->21         started        136 Drops large PE files 13->136 138 Changes security center settings (notifications, updates, antivirus, firewall) 16->138 86 127.0.0.1 unknown unknown 18->86 file6 signatures7 process8 dnsIp9 88 ipinfo.io 34.117.59.81, 443, 49696 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->88 90 raw.githubusercontent.com 185.199.110.133, 443, 49697, 49698 FASTLYUS Netherlands 21->90 92 api.gofile.io 94.139.32.3, 443, 49709 ENIX-ASFR Belgium 21->92 60 C:\Users\user\AppData\...\MavorTools.exe, PE32+ 21->60 dropped 62 C:\Users\user\...\cookies.sqlite_tmp (copy), PE32+ 21->62 dropped 64 C:\Users\user\AppData\...\MavorTools.exe, PE32+ 21->64 dropped 66 2 other files (none is malicious) 21->66 dropped 118 Overwrites Mozilla Firefox settings 21->118 120 Drops PE files to the startup folder 21->120 122 Tries to harvest and steal browser information (history, passwords, etc) 21->122 124 3 other signatures 21->124 26 cmd.exe 1 21->26         started        29 cmd.exe 21->29         started        31 cmd.exe 21->31         started        33 33 other processes 21->33 file10 signatures11 process12 dnsIp13 126 Uses ping.exe to sleep 26->126 128 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 26->128 130 Uses cmd line tools excessively to alter registry or file data 26->130 134 3 other signatures 26->134 51 2 other processes 26->51 36 powershell.exe 29->36         started        39 conhost.exe 29->39         started        41 reg.exe 31->41         started        43 conhost.exe 31->43         started        76 162.159.61.3, 443, 49705, 49706 CLOUDFLARENETUS United States 33->76 78 chrome.cloudflare-dns.com 172.64.41.3, 443, 49689, 49690 CLOUDFLARENETUS United States 33->78 132 Tries to harvest and steal WLAN passwords 33->132 45 powershell.exe 33->45         started        47 powershell.exe 33->47         started        49 powershell.exe 33->49         started        53 43 other processes 33->53 signatures14 process15 dnsIp16 106 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 36->106 108 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 36->108 110 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 36->110 112 Queries memory information (via WMI often done to detect virtual machines) 36->112 114 Creates an undocumented autostart registry key 41->114 116 Loading BitLocker PowerShell Module 45->116 56 net1.exe 1 51->56         started        94 8.8.8.8 GOOGLEUS United States 53->94 58 net1.exe 53->58         started        signatures17 process18
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=boqmz75gx5pjiei5tlbmsrekdwfm7fui6glrgd35b5vxdjsqrdta._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
collection credential_access discovery execution persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250520-v83dya1qy6/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Runs net.exe
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Event Triggered Execution: Netsh Helper DLL
Reads user/profile data of web browsers
System Network Configuration Discovery: Internet Connection Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Modifies WinLogon for persistence
Checks computer location settings
Enumerates processes with tasklist
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Clipboard Data
Drops startup file
Command and Scripting Interpreter: PowerShell
Creates new service(s)
Uses browser remote debugging
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments