MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


GenesisStealer


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6
SHA3-384 hash: d4a7184a7e959e93dc57b568d921b96584471b6390d180c6dbf102737b5ae486c5a5cd81ae62fdcb1874c978e62f08d9
SHA1 hash: a0dde5c50e11627a77295b5e4eb8792a65379c27
MD5 hash: e6ea94c2ce441b8f790829f43ab76661
humanhash: jig-pip-delta-neptune
File name:Verse_Loader 2.1.1.msi
Download: download sample
Signature GenesisStealer
Create hunting rule
File size:99'037'184 bytes
First seen:2025-11-15 09:01:14 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:ByzT88LByZbsZLeg8bh2wOcFRL4wYOpeKVzsx/E3+L51E3kE7UKRS6S4I6dhlI3I:B0T88L8bsxUbUtKp3zsxjbuUKRSsI2GO
Threatray 86 similar samples on MalwareBazaar
TLSH T16328338E2B0F554EE5288FFF97B74B03BEB56E439D422417D611B88EB476B2C014E885
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:GenesisStealer msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69184138bdb0ec3a9dc1bf77
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint installer installer wix
Link:
https://www.filescan.io/uploads/6918417959887d113b34779c/reports/69514129-7685-4c23-8f07-c2a2ed038341/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-15T06:09:00Z UTC
Last seen:
2025-11-15T06:21:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan-PSW.Script.Generic
Link:
https://opentip.kaspersky.com/f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6/results?tab=lookup
Result
Threat name:
Genesis Stealer
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1814601
Signature
Adds a directory exclusion to Windows Defender
Attempt to bypass Chrome Application-Bound Encryption
Detected Genesis Stealer
Disables security and backup related services
Disables Windows Defender (via service or powershell)
Drops large PE files
Excessive usage of taskkill to terminate processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Modifies Windows Defender protection settings
Obfuscated command line found
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive system registry key value via command line tool
Sigma detected: Capture Wi-Fi password
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Suspicious Windows Service Tampering
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Unusual module load detection (module proxying)
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1814601 Sample: Verse_Loader 2.1.1.msi Startdate: 15/11/2025 Architecture: WINDOWS Score: 100 64 www.python.org 2->64 66 uploads.227efc002310e6abf829b4c6a393bd4a.r2.cloudflarestorage.com 2->66 68 5 other IPs or domains 2->68 98 Sigma detected: Capture Wi-Fi password 2->98 100 Sigma detected: Powershell Defender Disable Scan Feature 2->100 102 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->102 104 5 other signatures 2->104 9 msiexec.exe 249 234 2->9         started        12 msiexec.exe 14 2->12         started        signatures3 process4 file5 56 C:\Users\user\AppData\...\Verse_Loader.exe, PE32+ 9->56 dropped 58 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 9->58 dropped 60 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 9->60 dropped 62 8 other files (none is malicious) 9->62 dropped 15 Verse_Loader.exe 23 9->15         started        134 Drops large PE files 12->134 signatures6 process7 dnsIp8 84 ip-api.com 208.95.112.1, 49694, 80 TUT-ASUS United States 15->84 86 dualstack.python.map.fastly.net 151.101.0.223, 443, 49726 FASTLYUS United States 15->86 88 5 other IPs or domains 15->88 50 C:\Users\...behaviorgraphenesis_System_1763197680324.zip, Zip 15->50 dropped 52 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->52 dropped 54 C:\Users\user\AppData\Local\...\passwords.db, SQLite 15->54 dropped 90 Detected Genesis Stealer 15->90 92 Attempt to bypass Chrome Application-Bound Encryption 15->92 94 Suspicious powershell command line found 15->94 96 8 other signatures 15->96 20 cmd.exe 1 15->20         started        23 powershell.exe 15->23         started        25 cmd.exe 1 15->25         started        27 103 other processes 15->27 file9 signatures10 process11 dnsIp12 106 Uses cmd line tools excessively to alter registry or file data 20->106 108 Uses netsh to modify the Windows network and firewall settings 20->108 110 Modifies Windows Defender protection settings 20->110 112 Disables Windows Defender (via service or powershell) 20->112 30 conhost.exe 20->30         started        32 chcp.com 1 20->32         started        114 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 23->114 116 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 23->116 118 Queries memory information (via WMI often done to detect virtual machines) 23->118 34 conhost.exe 23->34         started        120 Excessive usage of taskkill to terminate processes 25->120 36 taskkill.exe 1 25->36         started        39 conhost.exe 25->39         started        70 chrome.cloudflare-dns.com 162.159.61.3, 443, 49696, 50775 CLOUDFLARENETUS United States 27->70 122 Adds a directory exclusion to Windows Defender 27->122 124 Tries to harvest and steal WLAN passwords 27->124 126 Queries sensitive system registry key value via command line tool 27->126 128 Loading BitLocker PowerShell Module 27->128 41 powershell.exe 27->41         started        43 powershell.exe 27->43         started        45 chrome.exe 27->45         started        48 148 other processes 27->48 signatures13 process14 dnsIp15 130 Queries memory information (via WMI often done to detect virtual machines) 36->130 132 Loading BitLocker PowerShell Module 41->132 72 mail.google.com 142.251.35.165, 443, 49700 GOOGLEUS United States 45->72 74 142.251.40.174, 49701, 80 GOOGLEUS United States 45->74 82 2 other IPs or domains 45->82 76 142.250.176.197, 443, 49708, 49709 GOOGLEUS United States 48->76 78 tools.l.google.com 48->78 80 tools.google.com 48->80 signatures16
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6
Gathering data
Verdict:
Malicious
Threat:
Trojan-PSW.Script
Link:
https://tip.neiki.dev/file/f606ca7af47c6ecc38a8ed0a8fd7e060c8c1bcad563185c8245e70516e5229d6
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ydmu6xuprxmyofi5ufi7v7amdemdpfnkyyylsbelzyfc3ssfhla._file
Verdict:
malicious
Label(s):
novablight
Create hunting rule
Similar samples:
04c235057ccb53c25e65bf1fec0bfff1f9ae2e70f1019055b9b8eb28359c205f
GenesisStealer
0ba0ccffa6bf5e94111d9ac2c9448a1d8acf9688f197130f7d0f6b71a65088e6
GenesisStealer
3c47476a1d3568320f1722275bbd3d711c27747fe4c83cc94e86d36b446fd507
GenesisStealer
3f3ab59bd10c90cff308c64b4cbe1da00ddc9d2e209eddb9201c3a7014f65845
GenesisStealer
6bffe01c34b9ec6e91e6392b305ae7398918f7f996ae9858ea6c6d9b4499c6f0
GenesisStealer
93f72020f3b059ed58de314574633b551830548fa6b93683873b111b3be674e3
GenesisStealer
a6a0c8150458271f9ed2574e326019e060d62d7ad4a8fc3d5381898627bc3893
GenesisStealer
c0ccd705314d4c791edfee20ef9f99e056dc82775a42edd8653668a492b72a11
GenesisStealer
error
GenesisStealer
f3a00c61814cfbb3d5ace0bfc9ab618637034b1babc852b3cc2eb59699e5f338
GenesisStealer
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer trojan
Link:
https://tria.ge/reports/251115-kzamfstkbx/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
Program crash
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Loads dropped DLL
Checks installed software on the system
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Hide Artifacts: Ignore Process Interrupts
Launches sc.exe
Checks computer location settings
Enumerates processes with tasklist
Adds Run key to start application
Badlisted process makes network request
Disables one or more Microsoft Defender components
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Command and Scripting Interpreter: PowerShell
Uses browser remote debugging
Windows security bypass
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4e21b235-487d-4183-9872-acba19aceec1
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments