MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
SHA3-384 hash: 248e11e016471a15ee09df14ecea05c17e976dd44d7e79acd2c09019aa110d32f5910ffd9fc679e38f4852506c6444db
SHA1 hash: c50f068d9bf4fbb3965bb5db69d31479713eb0e4
MD5 hash: 8f0055d40344a0eae3cf582bdf7ae2e6
humanhash: ceiling-quiet-utah-michigan
File name:loader.msi
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:92'135'424 bytes
First seen:2025-08-29 20:01:45 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:XoIQpDnj2DQ2wyvOg/W/N1ItoV9QUbWjpXowZoTL0aaQE1hzIX3N5nEVhizC:YIQ5SspV1TVKUyFXkTgEsFIX3N5nyhaC
TLSH T1281833D6590B5670FD34A9B92A3F929A43353F17B816104FB4523CE0287EE907B38F99
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:GenesisStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
43
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68b2076ceb163e0ec1831826
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug anti-vm crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/68b207506212e2f742659d54/reports/3b1d2406-7f2c-4904-948b-a500cc8d0e64/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
Verdict:
Malicious
File Type:
msi
Detections:
Trojan-PSW.Win64.Agent.wj
Link:
https://opentip.kaspersky.com/3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/1767904
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Found Tor onion address
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Tries to harvest and steal browser information (history, passwords, etc)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1767904 Sample: loader.msi Startdate: 29/08/2025 Architecture: WINDOWS Score: 68 83 ip-api.com 2->83 85 github.com 2->85 87 2 other IPs or domains 2->87 115 Joe Sandbox ML detected suspicious sample 2->115 9 msiexec.exe 190 175 2->9         started        12 msedge.exe 2->12         started        16 msiexec.exe 14 2->16         started        18 msedge.exe 2->18         started        signatures3 process4 dnsIp5 73 C:\Users\user\AppData\Local\...\loader.exe, PE32+ 9->73 dropped 75 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->75 dropped 77 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->77 dropped 81 6 other files (none is malicious) 9->81 dropped 20 loader.exe 40 9->20         started        105 239.255.255.250 unknown Reserved 12->105 79 C:\Users\user\AppData\Local\...\Login Data, SQLite 12->79 dropped 123 Maps a DLL or memory area into another process 12->123 25 msedge.exe 12->25         started        27 msedge.exe 12->27         started        29 msedge.exe 12->29         started        33 3 other processes 12->33 125 Drops large PE files 16->125 31 msedge.exe 18->31         started        file6 signatures7 process8 dnsIp9 93 ip-api.com 208.95.112.1, 49721, 80 TUT-ASUS United States 20->93 95 github.com 140.82.113.3, 443, 49727 GITHUBUS United States 20->95 101 2 other IPs or domains 20->101 65 C:\Users\user\AppData\...\cookies.sqlite-shm, data 20->65 dropped 67 C:\Users\user\AppData\...\Login Data.query, SQLite 20->67 dropped 69 C:\Users\user\AppData\...\Web Data.query, SQLite 20->69 dropped 71 2 other malicious files 20->71 dropped 121 Tries to harvest and steal browser information (history, passwords, etc) 20->121 35 chrome.exe 20->35         started        39 cmd.exe 1 20->39         started        41 cmd.exe 1 20->41         started        43 26 other processes 20->43 97 18.173.132.23, 443, 49750 MIT-GATEWAYSUS United States 25->97 99 13.107.246.40, 443, 49747, 49759 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 25->99 103 22 other IPs or domains 25->103 file10 signatures11 process12 dnsIp13 89 192.168.2.4, 138, 443, 49448 unknown unknown 35->89 117 Found Tor onion address 35->117 45 chrome.exe 35->45         started        48 WMIC.exe 1 39->48         started        51 conhost.exe 39->51         started        119 Excessive usage of taskkill to terminate processes 41->119 53 taskkill.exe 1 41->53         started        55 conhost.exe 41->55         started        91 chrome.cloudflare-dns.com 172.64.41.3, 443, 49726, 49739 CLOUDFLARENETUS United States 43->91 57 taskkill.exe 1 43->57         started        59 taskkill.exe 1 43->59         started        61 taskkill.exe 1 43->61         started        63 44 other processes 43->63 signatures14 process15 dnsIp16 107 mail.yandex.com 77.88.21.37, 443, 49792 YANDEXRU Russian Federation 45->107 109 yandex.com 77.88.44.55, 443, 49779, 49786 YANDEXRU Russian Federation 45->109 111 35 other IPs or domains 45->111 113 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 48->113 signatures17
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Win64.Agent
Link:
https://tip.neiki.dev/file/3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hrduo2q5gvudedyxeitvxpj5oeoco5d74tedzskoq3jwwrdp2udq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/250829-ysakrssls9/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Collects information from the system
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Modifies trusted root certificate store through registry
Reads user/profile data of web browsers
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates processes with tasklist
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0811a128-631a-4df3-9f9d-5643ee3ddffc
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments