MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11
SHA3-384 hash: 3efb21d730c25743c27d9f897b2d78e3fded29687c76a119d44f7fe6acff74e4763283584c756fd8f10df251b9e1b357
SHA1 hash: be83bb382d044f4c2ae8544eb29723cc46a73005
MD5 hash: b2c1b5c91b5d5ba19d2eab3f9a7620be
humanhash: nebraska-apart-gee-maine
File name:VapeV4 2.1.1.msi
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:91'934'720 bytes
First seen:2025-10-25 20:17:48 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:C3zgXSDsSvEezSu59ez5bIhsENPpNI79v5wFnplu6r6nmBA7UKRIcSXBTLIX/m:C3cRciz5wFNPP2xsTjSUKRI5RIX
TLSH T10B18334D14401CB2E74EAA75053F073622775EA73A71683E7436B8E96BB33721E292C7
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:GenesisStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68fcf4893bdc93eb05643b18
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/68fd30a9acdc0d13837f0056/reports/b47a9884-a0d4-42ac-a0d7-e55be6ac1b5a/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11
Verdict:
Malicious
File Type:
msi
First seen:
2025-10-26T12:42:00Z UTC
Last seen:
2025-10-26T13:06:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.OLE2.Stealer.gen
Link:
https://opentip.kaspersky.com/c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1801824
Signature
Drops large PE files
Excessive usage of taskkill to terminate processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1801824 Sample: VapeV4 2.1.1.msi Startdate: 25/10/2025 Architecture: WINDOWS Score: 100 61 ip-api.com 2->61 63 github.com 2->63 65 discord.com 2->65 83 Sigma detected: Capture Wi-Fi password 2->83 85 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->85 87 Joe Sandbox ML detected suspicious sample 2->87 89 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->89 9 msiexec.exe 190 175 2->9         started        12 msiexec.exe 14 2->12         started        signatures3 process4 file5 53 C:\Users\user\AppData\Local\...\VapeV4.exe, PE32+ 9->53 dropped 55 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->55 dropped 57 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->57 dropped 59 6 other files (none is malicious) 9->59 dropped 15 VapeV4.exe 11 9->15         started        111 Drops large PE files 12->111 signatures6 process7 dnsIp8 69 ip-api.com 208.95.112.1, 49721, 80 TUT-ASUS United States 15->69 71 github.com 140.82.116.4, 443, 49726 GITHUBUS United States 15->71 73 discord.com 162.159.138.232, 443, 49724, 49725 CLOUDFLARENETUS United States 15->73 49 C:\Users\user\AppData\...\cookies.sqlite-shm, data 15->49 dropped 51 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->51 dropped 75 Suspicious powershell command line found 15->75 77 Obfuscated command line found 15->77 79 Tries to harvest and steal browser information (history, passwords, etc) 15->79 81 2 other signatures 15->81 20 cmd.exe 1 15->20         started        23 powershell.exe 15->23         started        25 cmd.exe 15->25         started        27 83 other processes 15->27 file9 signatures10 process11 dnsIp12 91 Uses cmd line tools excessively to alter registry or file data 20->91 93 Uses netsh to modify the Windows network and firewall settings 20->93 95 Tries to harvest and steal WLAN passwords 20->95 30 conhost.exe 20->30         started        32 chcp.com 1 20->32         started        97 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->97 99 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 23->99 101 Queries memory information (via WMI often done to detect virtual machines) 23->101 34 conhost.exe 23->34         started        103 Queries sensitive system registry key value via command line tool 25->103 36 conhost.exe 25->36         started        38 reg.exe 25->38         started        67 chrome.cloudflare-dns.com 162.159.61.3, 443, 49722, 63014 CLOUDFLARENETUS United States 27->67 105 Excessive usage of taskkill to terminate processes 27->105 107 Loading BitLocker PowerShell Module 27->107 40 powershell.exe 27->40         started        43 taskkill.exe 1 27->43         started        45 taskkill.exe 1 27->45         started        47 108 other processes 27->47 signatures13 process14 signatures15 109 Loading BitLocker PowerShell Module 40->109
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11
Gathering data
Verdict:
Malicious
Threat:
CloudSandbox.Malware.Generic
Link:
https://tip.neiki.dev/file/c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ydgnobjrjvghshw75yqo7h4z4blnzatxljbo3wdfgzukjevxfiiq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/251025-y3pgnszqhm/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Reads user/profile data of web browsers
System Network Configuration Discovery: Wi-Fi Discovery
Drops file in Windows directory
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
Loads dropped DLL
Checks computer location settings
Enumerates processes with tasklist
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/fd93b87a-4de1-46b9-87a0-b7cff13d428c
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments