MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551
SHA3-384 hash: edaed86788f53a162049de20cea2680737674b6b1bfe289f15ff44a9594555923b44b30da41c420af4f5c695f8cb58fb
SHA1 hash: cc3b44a44eead1164432ed18e76e2bb935e97805
MD5 hash: bda928c68502d92d9d831b14060b8290
humanhash: sweet-football-india-echo
File name:SecuriteInfo.com.W32.Rugmi.APQ.tr.dldr.23786.13680
Download: download sample
File size:9'240'576 bytes
First seen:2025-03-02 18:19:00 UTC
Last seen:2025-03-02 19:16:50 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:aRlOirKF7b+O9I+nHJGn9Q04Uz7lX2/fThYhO2cFM:afOir03+Ozpc9Q0TifTSh6
TLSH T1EF9633A27CDE4B1BC8790B35ABCAFA5132E4BCC7C545325F23387AAD3A355312AB0554
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter SecuriteInfoCom
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
FR FR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.Rugmi.APQ.tr.dldr.23786.13680.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67c4a1aec668b65489be6cf7
Tags:
shellcode virus remo
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/67c4a11f3c5f644bd93f0e47/reports/2329004c-2e89-4036-b6f7-96600d4a91a9/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1627586
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1627586 Sample: SecuriteInfo.com.W32.Rugmi.... Startdate: 02/03/2025 Architecture: WINDOWS Score: 72 64 ingovate-now.site 2->64 76 Multi AV Scanner detection for submitted file 2->76 78 Joe Sandbox ML detected suspicious sample 2->78 11 msiexec.exe 79 39 2->11         started        14 RoboTaskLite.exe 1 2->14         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 58 C:\Users\user\AppData\Local\...\vcl280.bpl, PE32 11->58 dropped 60 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 11->60 dropped 62 C:\Users\user\AppData\Local\...\rtl280.bpl, PE32 11->62 dropped 19 RoboTaskLite.exe 6 11->19         started        96 Maps a DLL or memory area into another process 14->96 98 Found direct / indirect Syscall (likely to bypass EDR) 14->98 23 cmd.exe 14->23         started        signatures6 process7 file8 50 C:\Users\user\AppData\Roaming\...\vcl280.bpl, PE32 19->50 dropped 52 C:\Users\user\AppData\Roaming\...\rtl280.bpl, PE32 19->52 dropped 54 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 19->54 dropped 80 Switches to a custom stack to bypass stack traces 19->80 82 Found direct / indirect Syscall (likely to bypass EDR) 19->82 25 RoboTaskLite.exe 1 19->25         started        56 C:\Users\user\AppData\Local\Temp\afbpgqjbn, PE32+ 23->56 dropped 84 Writes to foreign memory regions 23->84 86 Maps a DLL or memory area into another process 23->86 28 ToolSecurityBvg.exe 23->28         started        30 conhost.exe 23->30         started        signatures9 process10 signatures11 90 Maps a DLL or memory area into another process 25->90 92 Switches to a custom stack to bypass stack traces 25->92 94 Found direct / indirect Syscall (likely to bypass EDR) 25->94 32 cmd.exe 5 25->32         started        36 WerFault.exe 4 21 28->36         started        process12 file13 46 C:\Users\user\AppData\Local\Temp\clk, PE32+ 32->46 dropped 48 C:\Users\user\AppData\...\ToolSecurityBvg.exe, PE32+ 32->48 dropped 68 Writes to foreign memory regions 32->68 70 Found hidden mapped module (file has been removed from disk) 32->70 72 Maps a DLL or memory area into another process 32->72 74 Switches to a custom stack to bypass stack traces 32->74 38 ToolSecurityBvg.exe 32->38         started        42 conhost.exe 32->42         started        signatures14 process15 dnsIp16 66 ingovate-now.site 188.114.97.3, 443, 49935, 49992 CLOUDFLARENETUS European Union 38->66 88 Found direct / indirect Syscall (likely to bypass EDR) 38->88 44 WerFault.exe 19 16 38->44         started        signatures17 process18
Score:
13%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551/
Threat name:
Win32.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-02-28 22:41:14 UTC
File Type:
Binary (Archive)
Extracted files:
194
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dj6hfbe6ribfdu7jvp6yomynt2odwpvhb7vhhs736dsdq7fwoviq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250302-wyafvaz1d1/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bae57f6e-624b-49e4-a6cc-cdd39e05916b
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/1a7c72849e8a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a7c72849e8a0251d3e9abfd87330d9e9c3b3ea70fea73cbfbf0e4387cb67551

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments