MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0
SHA3-384 hash: 686b96980ab38cca220a8cb4e0ed256e9945279dd40f6484c5bfac1f47be752175aef2bb2f48fae3d9a89e392413b3b6
SHA1 hash: bcedc2919ca4f8406ca11a4dbf47f254ddeaeec3
MD5 hash: d9d11b91cfe565de49f2678fd1703818
humanhash: island-speaker-island-nine
File name:LostInWinter 2.1.1.msi
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:91'615'232 bytes
First seen:2025-10-22 12:23:23 UTC
Last seen:2025-10-28 21:09:32 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:PHR9COaCBn0J4V2Kck40dPIs0b3XL5614XTZJuILjFc7UKRSWSwIPLNw:PxYCBnC4Kl/H64lJuUKRS48N
TLSH T10B18332AD42064B8E71E913B773F4850BB1B1BAE6B115BABA435749E1FB03310E4B75C
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:GenesisStealer infostealer msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
55
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68f8cc9f3edd081eba40b3f7
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/68f8cd8f3a79800405f0e4b4/reports/0ab8f8ad-242a-481a-8a53-d673fbc69253/overview
Verdict:
Malicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0
Verdict:
Malicious
File Type:
msi
Detections:
UDS:DangerousObject.Multi.Generic
Link:
https://opentip.kaspersky.com/6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1799773
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1799773 Sample: LostInWinter 2.1.1.msi Startdate: 22/10/2025 Architecture: WINDOWS Score: 100 61 ip-api.com 2->61 63 github.com 2->63 65 discord.com 2->65 83 Sigma detected: Capture Wi-Fi password 2->83 85 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->85 87 Joe Sandbox ML detected suspicious sample 2->87 89 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->89 9 msiexec.exe 190 175 2->9         started        12 msiexec.exe 14 2->12         started        signatures3 process4 file5 53 C:\Users\user\AppData\...\LostInWinter.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->55 dropped 57 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->57 dropped 59 6 other files (none is malicious) 9->59 dropped 15 LostInWinter.exe 12 9->15         started        111 Drops large PE files 12->111 signatures6 process7 dnsIp8 69 ip-api.com 208.95.112.1, 49701, 80 TUT-ASUS United States 15->69 71 github.com 140.82.112.4, 443, 49706 GITHUBUS United States 15->71 73 discord.com 162.159.135.232, 443, 49704, 49705 CLOUDFLARENETUS United States 15->73 49 C:\Users\user\AppData\...\cookies.sqlite-shm, data 15->49 dropped 51 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->51 dropped 75 Suspicious powershell command line found 15->75 77 Obfuscated command line found 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 2 other signatures 15->81 20 cmd.exe 1 15->20         started        23 powershell.exe 15->23         started        25 cmd.exe 15->25         started        27 83 other processes 15->27 file9 signatures10 process11 dnsIp12 91 Uses cmd line tools excessively to alter registry or file data 20->91 93 Uses netsh to modify the Windows network and firewall settings 20->93 95 Tries to harvest and steal WLAN passwords 20->95 30 conhost.exe 20->30         started        32 chcp.com 1 20->32         started        97 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->97 99 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 23->99 101 Queries memory information (via WMI often done to detect virtual machines) 23->101 34 conhost.exe 23->34         started        103 Queries sensitive system registry key value via command line tool 25->103 36 conhost.exe 25->36         started        38 reg.exe 25->38         started        67 chrome.cloudflare-dns.com 162.159.61.3, 443, 49702, 60722 CLOUDFLARENETUS United States 27->67 105 Excessive usage of taskkill to terminate processes 27->105 107 Loading BitLocker PowerShell Module 27->107 40 powershell.exe 27->40         started        43 taskkill.exe 1 27->43         started        45 taskkill.exe 1 27->45         started        47 108 other processes 27->47 signatures13 process14 signatures15 109 Loading BitLocker PowerShell Module 40->109
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=np76ahbuxhwg5epghevtawxhhgerr57zs2xjqwhknrwzwrezy3ya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251022-pmh6aadv6f/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Reads user/profile data of web browsers
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
Loads dropped DLL
Checks computer location settings
Enumerates processes with tasklist
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01186e61-904d-44d1-aade-c5d616ee4ba6
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments