MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16
SHA3-384 hash: 4fc49ea9ed3c5e3208b00695522489b505c0fc9aee9805a6b4685f85b9f64ba9d307f2f56e29179c3bc6153f129ee671
SHA1 hash: d6a788c7ff8d845d40fdc13416e17ec5bd102507
MD5 hash: 280f29b39b4d63f8e1b28bb8d890d86f
humanhash: black-illinois-washington-golf
File name:4k9LUIn.msi
Download: download sample
File size:5'122'560 bytes
First seen:2025-08-25 06:44:38 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:BPfgQniPE093c+ClAI1v9O7to3RviOtQ14s2sjDV:xoQniPEaibZstGRvHI1DV
TLSH T1ED36F01976940CADD8E64239846EF214AE31780D273C85DA4F763DF93E2AED0A3767C1
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi signed

Code Signing Certificate

Organisation:PDQ.com Corporation
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2025-08-07T00:00:00Z
Valid to:2028-09-21T23:59:59Z
Serial number: 067804e0ab0aa6f03d5381e3c238a748
Intelligence: 65 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 26baa107629cde6a41b32f7923451ad1355a3149cb0269ffafa1c48128b48ea3
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
28
Origin country :
SE SE
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/23353/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68ac06de6eed937d746da611
Tags:
spawn
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
expand lolbin obfuscated rundll32 signed threat wix
Link:
https://www.filescan.io/uploads/68ac0796253799db621b646e/reports/79bdd20a-955d-4167-8842-8dcc69544706/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16
Verdict:
Adware
File Type:
msi
First seen:
2025-08-24T12:45:00Z UTC
Last seen:
2025-08-24T12:45:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1764272
Signature
Bypasses PowerShell execution policy
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Powershell drops PE file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries the IP of a very long domain name
Reads the Security eventlog
Reads the System eventlog
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1764272 Sample: 4k9LUIn.msi Startdate: 25/08/2025 Architecture: WINDOWS Score: 92 107 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 2->107 109 websocket.app.pdq.com 2->109 111 app.pdq.com 2->111 121 Bypasses PowerShell execution policy 2->121 123 Joe Sandbox ML detected suspicious sample 2->123 10 pdq-connect-agent.exe 2->10         started        13 msiexec.exe 158 80 2->13         started        16 svchost.exe 2->16         started        19 11 other processes 2->19 signatures3 125 Queries the IP of a very long domain name 107->125 process4 dnsIp5 113 pdqinstallers.e9d69694c3d8f7465fd531512c22bd0f.r2.cloudflarestorage.com 162.159.141.50, 443, 49687 CLOUDFLARENETUS United States 10->113 115 websocket.app.pdq.com 34.54.45.198, 443, 49686, 49689 ATGS-MMD-ASUS United States 10->115 21 powershell.exe 10->21         started        25 powershell.exe 10->25         started        27 powershell.exe 10->27         started        37 18 other processes 10->37 99 C:\Windows\Installer\MSIFF52.tmp, PE32+ 13->99 dropped 101 C:\Windows\Installer\MSIFB5A.tmp, PE32+ 13->101 dropped 103 C:\Windows\Installer\MSIF936.tmp, PE32+ 13->103 dropped 105 13 other malicious files 13->105 dropped 29 msiexec.exe 1 13->29         started        31 msiexec.exe 13->31         started        33 msiexec.exe 13->33         started        119 Changes security center settings (notifications, updates, antivirus, firewall) 16->119 35 MpCmdRun.exe 16->35         started        117 127.0.0.1 unknown unknown 19->117 file6 signatures7 process8 file9 73 C:\Windows\Temp\...\WimProvider.dll.mui, PE32 21->73 dropped 75 C:\Windows\Temp\...\VhdProvider.dll.mui, PE32 21->75 dropped 77 C:\Windows\Temp\...\UnattendProvider.dll.mui, PE32 21->77 dropped 79 47 other malicious files 21->79 dropped 127 Loading BitLocker PowerShell Module 21->127 47 2 other processes 21->47 49 12 other processes 25->49 129 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 27->129 131 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 27->131 133 Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes) 27->133 135 2 other signatures 27->135 39 conhost.exe 27->39         started        41 rundll32.exe 4 7 29->41         started        51 2 other processes 29->51 53 2 other processes 31->53 55 2 other processes 33->55 45 conhost.exe 35->45         started        57 19 other processes 37->57 signatures10 process11 file12 91 3 other malicious files 41->91 dropped 137 Reads the Security eventlog 41->137 139 Reads the System eventlog 41->139 141 Loading BitLocker PowerShell Module 49->141 59 conhost.exe 49->59         started        61 conhost.exe 49->61         started        63 conhost.exe 49->63         started        69 8 other processes 49->69 81 C:\Windows\...\pdqconnectagent-setup.exe, PE32 51->81 dropped 83 C:\...\WixToolset.Dtf.WindowsInstaller.dll, PE32 51->83 dropped 85 C:\Windows\Installer\...\WixSharp.dll, PE32 51->85 dropped 93 3 other malicious files 51->93 dropped 65 sc.exe 51->65         started        95 5 other malicious files 53->95 dropped 143 Creates files in the system32 config directory 53->143 87 C:\Windows\...\pdqconnectagent-setup.exe, PE32 55->87 dropped 97 5 other malicious files 55->97 dropped 89 C:\Windows\Temp\cuwoyiks\cuwoyiks.dll, PE32 57->89 dropped 67 cvtres.exe 57->67         started        signatures13 process14 process15 71 conhost.exe 65->71         started       
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-08-24 15:47:31 UTC
File Type:
Binary (Archive)
Extracted files:
31
AV detection:
7 of 38 (18.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cm32e2gl54bn5hx6zm4ynzxqmdn3fyi23yzafdnb5fjigrvchyla._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
defense_evasion execution persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/250825-hltgascn4v/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Launches sc.exe
Loads dropped DLL
Drops file in System32 directory
Badlisted process makes network request
Enumerates connected drives
Modifies trusted root certificate store through registry
Verdict:
Unknown
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/b257ab58-d4f7-47e8-bdd9-9da0353443de
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_AllMal_Detector
Create hunting rule
Author:DiegoAnalytics
Description:CrossPlatform All Malwares Detector: Detect PE, ELF, Mach-O, scripts, archives; overlay, obfuscation, encryption, spoofing, hiding, high entropy, network communication
Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 1337a268cbef02de9efecb3986e6f060dbb2e11ade32028da1e9528346a23e16

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3610826/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/23353/

Comments