MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f8bdace0b997d4360731fd8bb9fde8d201fcd9d090a8c5be31617e881bd4ec7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash: 0f8bdace0b997d4360731fd8bb9fde8d201fcd9d090a8c5be31617e881bd4ec7
SHA3-384 hash: 6eb916a6477b735a2b664425177db130172bd58a7351e15784e3eddd46fefb96d3c914500d796197a3eb469baed61d68
SHA1 hash: c555ec0b942672428ed54098c3cb5475df55ff74
MD5 hash: 526d72f92d4b5d7a591d4c6722cf8ddc
humanhash: eighteen-oklahoma-robin-salami
File name:ZA_Access_My_Department.msi
Download: download sample
File size:30'926'336 bytes
First seen:2026-07-02 11:49:55 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:vNWZbpSLD/BhvSbzWUPK+DvELDQVxnSDXTm7:vN6b4/nEWS5DvFVNSnm
TLSH T19C6733E81DDECF26DB83ACB18267395C91F2EC5A49645418F378F838A4B76E0D370946
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter skocherhan
Tags:msi pub-b81078cffc6d471e9d2d977de133536e-r2-dev


Avatar
skocherhan
https://pub-b81078cffc6d471e9d2d977de133536e.r2.dev/ZA_Access_My_Department.msi

Intelligence


File Origin
# of uploads :
1
# of downloads :
56
Origin country :
GB GB
Vendor Threat Intelligence
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug crypto fingerprint keylogger reconnaissance signed wix
Verdict:
Adware
File Type:
msi
Detections:
RemoteAdmin.Zoho.UDP.C&C
Gathering data
Result
Malware family:
n/a
Score:
  8/10
Tags:
adware discovery persistence privilege_escalation ransomware spyware
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Boot or Logon Autostart Execution: Active Setup
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Author:malware-lu
Rule name:test_rule_vldslv

File information


The table below shows additional information about this malware sample such as delivery method and external references.

aa8564316137d9f056d87960d2ca3294

Microsoft Software Installer (MSI) msi 0f8bdace0b997d4360731fd8bb9fde8d201fcd9d090a8c5be31617e881bd4ec7

(this sample)

  
Dropped by
MD5 aa8564316137d9f056d87960d2ca3294

Comments