MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998
SHA3-384 hash: 79d40aaa65cd508362bd3d4498aaf8a0865be8e73fc3a569dbdd801bfcc99da9d13942093cb9480cb43463f66a8ed808
SHA1 hash: 6e33044a610c9b597cbcd063af4aee7c5a95b0a1
MD5 hash: 4e6c82498fc01171484f7ecd3a292af1
humanhash: lithium-double-oregon-mango
File name:ta.msi
Download: download sample
File size:11'890'688 bytes
First seen:2025-03-23 06:52:57 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:Zc64YsQHrULB/kNYzL0JJZP+QH4iVdpqUgQucSJEGDmpUxNe3WvMkdN1L4:ZD4jCUVsNiIJJR+Vm9ukamYHH
TLSH T157C633A07789CB39C29B553B8ABF4759A6366D700B24C0CBB38074197E70BD352FA749
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:msi WsgiDAV

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
IT IT
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67e194e0bb84e066269e8541
Tags:
shellcode virus spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto expand fingerprint fingerprint installer keylogger lolbin packed wix
Link:
https://www.filescan.io/uploads/67dfafdae05c48ec61e654d5/reports/6531dc35-35e8-4e88-ae86-dd9bfdf43f69/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1646041
Signature
Multi AV Scanner detection for dropped file
Opens network shares
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1646041 Sample: ta.msi Startdate: 23/03/2025 Architecture: WINDOWS Score: 52 59 Multi AV Scanner detection for dropped file 2->59 10 msiexec.exe 86 32 2->10         started        13 msiexec.exe 5 2->13         started        process3 file4 53 C:\Windows\Installer\MSIC3C2.tmp, PE32 10->53 dropped 55 C:\Windows\Installer\MSIC18F.tmp, PE32 10->55 dropped 57 C:\Windows\Installer\MSI99A2.tmp, PE32 10->57 dropped 15 msiexec.exe 5 10->15         started        process5 process6 17 ta.exe 65 15->17         started        20 expand.exe 4 15->20         started        22 icacls.exe 1 15->22         started        24 2 other processes 15->24 file7 41 C:\Users\user\AppData\...\win32trace.pyd, PE32+ 17->41 dropped 43 C:\Users\user\AppData\...\win32event.pyd, PE32+ 17->43 dropped 45 C:\Users\user\AppData\Local\...\win32api.pyd, PE32+ 17->45 dropped 51 57 other malicious files 17->51 dropped 26 ta.exe 5 17->26         started        47 C:\Users\user\AppData\Local\...\ta.exe (copy), PE32+ 20->47 dropped 49 C:\...\483a929f349a8c4384eae923437d123a.tmp, PE32+ 20->49 dropped 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        32 conhost.exe 24->32         started        34 conhost.exe 24->34         started        process8 process9 36 cmd.exe 1 26->36         started        signatures10 61 Opens network shares 36->61 39 conhost.exe 36->39         started        process11
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-21 18:36:49 UTC
File Type:
Binary (Archive)
Extracted files:
1483
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=azwzwhvicls4vrq4rtpqbsyhode7frouayxgbrmsjet3bjqz5gma._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation pyinstaller
Link:
https://tria.ge/reports/250323-hnpacsswgx/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Detects Pyinstaller
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates connected drives
Modifies file permissions
Gathering data
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 066d9b1ea812e5cac61c8cdf00cb0770c9f2c5d4062e60c5924927b0a619e998

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3486977/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3487586/
  
URLhaus
https://urlhaus.abuse.ch/url/3487591/

Comments