MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373
SHA3-384 hash: 101a0abe945325bb17d0d58dc68bf6b02315c3e8a427872a411777e940ad52dcc6d9231e648c26e29cd6d38b06b3785d
SHA1 hash: aee65cc1f2f65072d43e0c9665f08130960f7498
MD5 hash: 2e2b0f4e0fa7d2d224901bfbbe6d3f27
humanhash: twenty-oxygen-island-oxygen
File name:AOJREEKN.msi
Download: download sample
File size:7'892'992 bytes
First seen:2025-04-09 12:10:22 UTC
Last seen:2025-04-09 12:24:44 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:xu80D360g341HKWO8ZWIISxBo3uiSXOlxFPJx+oYk7Tn:xun+X3bWpWQxBclxFPaSn
Threatray 87 similar samples on MalwareBazaar
TLSH T12C8633796DE4D26BE177E2B1A6754A889ABCBD3993409C0B2A6D3DFEC4740E110C7D0C
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:booking cdn-jsdelivr-net msi pcnoworlater-live

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1319/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f666fc71beff15dcce1445
Tags:
shellcode spawn micro
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/67f663de40adfb5162bd660b/reports/9a89a6d3-6f6a-4ea3-81b6-f1207894efa7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1660716
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660716 Sample: AOJREEKN.msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 100 136 werito.cyou 2->136 138 uno-cdn-update.buzz 2->138 140 4 other IPs or domains 2->140 178 Antivirus detection for URL or domain 2->178 180 PE file has a writeable .text section 2->180 11 msiexec.exe 85 45 2->11         started        14 crashreporter.exe 2->14         started        17 msedge.exe 2->17         started        20 3 other processes 2->20 signatures3 process4 dnsIp5 110 C:\Users\user\AppData\...\crashreporter.exe, PE32 11->110 dropped 112 C:\Users\user\AppData\Local\...\zlib1.dll, PE32 11->112 dropped 114 C:\Users\...\wxmsw313u_core_vc_custom.dll, PE32 11->114 dropped 118 6 other files (none is malicious) 11->118 dropped 22 crashreporter.exe 12 11->22         started        26 msiexec.exe 54 11->26         started        28 msiexec.exe 11->28         started        116 C:\Users\user\AppData\Local\Temp\owf, PE32+ 14->116 dropped 198 Maps a DLL or memory area into another process 14->198 30 updateBg_je2.exe 14->30         started        32 cmd.exe 14->32         started        134 239.255.255.250 unknown Reserved 17->134 34 msedge.exe 17->34         started        37 msedge.exe 17->37         started        39 msedge.exe 17->39         started        41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 92 C:\Users\user\AppData\...\crashreporter.exe, PE32 22->92 dropped 94 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 22->94 dropped 96 C:\Users\...\wxmsw313u_core_vc_custom.dll, PE32 22->96 dropped 106 6 other files (none is malicious) 22->106 dropped 182 Switches to a custom stack to bypass stack traces 22->182 184 Found direct / indirect Syscall (likely to bypass EDR) 22->184 43 crashreporter.exe 4 22->43         started        98 C:\Users\user\AppData\Local\...\Start.exe, PE32+ 26->98 dropped 108 4 other files (none is malicious) 26->108 dropped 47 Start.exe 26->47         started        49 ISBEW64.exe 26->49         started        51 ISBEW64.exe 26->51         started        59 8 other processes 26->59 100 C:\Users\user\AppData\...\_isres_0x0409.dll, PE32 28->100 dropped 102 C:\Users\user\AppData\Local\Temp\...\ISRT.dll, PE32 28->102 dropped 104 C:\Users\user\AppData\Local\...\ISBEW64.exe, PE32+ 28->104 dropped 61 4 other processes 28->61 186 Tries to harvest and steal browser information (history, passwords, etc) 30->186 188 Tries to harvest and steal Bitcoin Wallet information 30->188 53 msiexec.exe 30->53         started        55 chrome.exe 30->55         started        57 conhost.exe 32->57         started        142 sb.scorecardresearch.com 18.173.218.34, 443, 49749 MIT-GATEWAYSUS United States 34->142 144 18.173.218.72, 443, 49770 MIT-GATEWAYSUS United States 34->144 146 28 other IPs or domains 34->146 file10 signatures11 process12 file13 120 C:\Users\user\AppData\...\updateBg_je2.exe, PE32+ 43->120 dropped 122 C:\Users\user\AppData\...\jxqmivsmtspbet, PE32+ 43->122 dropped 190 Found hidden mapped module (file has been removed from disk) 43->190 192 Maps a DLL or memory area into another process 43->192 194 Switches to a custom stack to bypass stack traces 43->194 196 Found direct / indirect Syscall (likely to bypass EDR) 43->196 63 updateBg_je2.exe 3 2 43->63         started        67 cmd.exe 3 43->67         started        124 C:\Users\user\AppData\Local\Temp\ukyfhjs, PE32+ 47->124 dropped 69 cmd.exe 47->69         started        71 cmd.exe 47->71         started        126 C:\Users\user\AppData\Local\...\MSICF58.tmp, PE32 53->126 dropped 128 C:\Users\user\AppData\Local\...\MSICB40.tmp, PE32 53->128 dropped signatures14 process15 dnsIp16 160 werito.cyou 104.21.93.227, 443, 49697, 49825 CLOUDFLARENETUS United States 63->160 162 uno-cdn-update.buzz 172.67.136.121, 443, 49694, 49695 CLOUDFLARENETUS United States 63->162 166 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 63->166 168 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 63->168 170 Writes to foreign memory regions 63->170 176 4 other signatures 63->176 73 chrome.exe 63->73         started        76 msiexec.exe 7 63->76         started        79 msedge.exe 63->79         started        172 Switches to a custom stack to bypass stack traces 67->172 81 conhost.exe 67->81         started        164 sonorous-horizon-cfd.cfd 104.21.16.1, 49793, 80 CLOUDFLARENETUS United States 69->164 174 Creates an autostart registry key pointing to binary in C:\Windows 69->174 83 conhost.exe 71->83         started        signatures17 process18 dnsIp19 154 192.168.2.13 unknown unknown 73->154 156 192.168.2.14 unknown unknown 73->156 158 3 other IPs or domains 73->158 85 chrome.exe 73->85         started        88 chrome.exe 73->88         started        130 C:\Users\user\AppData\Local\...\MSIE14E.tmp, PE32 76->130 dropped 132 C:\Users\user\AppData\Local\...\MSID73B.tmp, PE32 76->132 dropped 90 msedge.exe 79->90         started        file20 process21 dnsIp22 148 www.google.com 142.250.81.228, 443, 49704, 49707 GOOGLEUS United States 85->148 150 play.google.com 142.251.40.110, 443, 49720, 49723 GOOGLEUS United States 85->150 152 6 other IPs or domains 85->152
Score:
7%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cpa4kiohkdv2srgzsynyynojzixzr5qmjsw325skm6cpofgaknzq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
06be76f549d1d97a808e6629f6043a9609d5b59fa14d0e3ee3aa01354ac369d1
220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd
6c1d83eaf51888518eaa5a7f6e2b5138d8f15bed99e2f581011be3223c48d3e3
751b1db5e997d52f40a02587341a8c718f34eef6540784c0a9d629c9b55df3ac
aeb8342fe519b84fedd23e5b963fa34039f826170c2ab341c23e18e9e6708fde
d438e9a6ae13b67cee568aca33fd863bf1b861601c8eee71264e6c0f7e96c043
e23e96f1b0e759ac811c3edc088ad1d47474bf4043c688a8e15438de69065449
error
f26b052feb67d280a516f80407855fcb7995e0bc21771145aaccb93a51c6324b
+ 77 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250409-pcmeyszvgy/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5045874f-4117-4b2c-8542-9f1ba171b250
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/13c1c521c750/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 13c1c521c750eba944d9961b8c35c9ca2f98f60c4cadbd764a6784f714c05373

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/1319/
  
URLhaus
https://urlhaus.abuse.ch/url/3505493/
  
Delivery method
Distributed via web download

Comments