MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810
SHA3-384 hash: 3e7980ee67d17ceca0960afe7e0daef51076f311d5789debb68e46cfffc051914d1bae78e923f59b8edc17fa4ad7471a
SHA1 hash: b399441bcaa1d47ea07a69a05f6b8ca1c9bbe3a9
MD5 hash: bf972afc4f06c0bcf0065af53c1021c5
humanhash: jig-cold-nevada-texas
File name:5aba4745e080f54e.msi
Download: download sample
File size:573'440 bytes
First seen:2025-12-14 07:40:26 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:AFi33Ey8NpmC/U92stSuxqhaXrkQE3r1AZR5K56VbIu:f33EJpqtHxqhaXrPnZRY5a
TLSH T174C4235838B35B37D81B0A7E050947F99765FC917F32C90B3489B26E9DBAF1149F88A0
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:103-27-157-60 msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
29
Origin country :
SE SE
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/eae34128-8d01-4623-808d-2e1ee83bbb17/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/44599/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.78068626.5309.10844.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=693d8eb3a62a7a3aa04699b5
Tags:
trojan shell agent
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810
Verdict:
Clean
File Type:
msi
First seen:
2025-12-13T13:42:00Z UTC
Last seen:
2025-12-13T14:03:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1832377
Signature
AI detected malicious Powershell script
Bypasses PowerShell execution policy
Found suspicious powershell code related to unpacking or dynamic code loading
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Performs DNS queries to domains with low reputation
Powershell creates an autostart link
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Powershell create lnk in startup
Sigma detected: Powerup Write Hijack DLL
Suspicious powershell command line found
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1832377 Sample: 5aba4745e080f54e.msi Startdate: 14/12/2025 Architecture: WINDOWS Score: 100 49 w2socks.xyz 2->49 51 nodejs.org 2->51 57 Malicious sample detected (through community Yara rule) 2->57 59 Sigma detected: Powershell create lnk in startup 2->59 61 Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE 2->61 65 3 other signatures 2->65 11 msiexec.exe 76 36 2->11         started        13 powershell.exe 11 2->13         started        15 svchost.exe 1 1 2->15         started        18 msiexec.exe 3 2->18         started        signatures3 63 Performs DNS queries to domains with low reputation 49->63 process4 dnsIp5 20 cmd.exe 1 11->20         started        23 wscript.exe 11->23         started        25 cmd.exe 13->25         started        27 conhost.exe 13->27         started        55 127.0.0.1 unknown unknown 15->55 process6 signatures7 67 Suspicious powershell command line found 20->67 69 Bypasses PowerShell execution policy 20->69 29 powershell.exe 22 1002 20->29         started        33 conhost.exe 20->33         started        35 node.exe 25->35         started        process8 dnsIp9 53 nodejs.org 104.20.1.252, 443, 49692 CLOUDFLARENETUS United States 29->53 75 Found suspicious powershell code related to unpacking or dynamic code loading 29->75 77 Powershell creates an autostart link 29->77 79 Loading BitLocker PowerShell Module 29->79 37 node.exe 1 29->37         started        40 setx.exe 1 29->40         started        signatures10 process11 signatures12 71 Suspicious powershell command line found 37->71 73 Unusual module load detection (module proxying) 37->73 42 powershell.exe 15 37->42         started        process13 file14 47 C:\Users\user\AppData\Roaming\...\Loader.lnk, MS 42->47 dropped 45 conhost.exe 42->45         started        process15
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810
Verdict:
Malware
YARA:
5 match(es)
Tags:
CAB:COMPRESSION:MSZIP DeObfuscated Office Document PowerShell
Link:
https://app.malva.re/file/bf972afc4f06c0bcf0065af53c1021c5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810
Threat name:
Win32.Trojan.Malgent
Create hunting rule
Status:
Malicious
First seen:
2025-12-13 16:05:09 UTC
File Type:
Binary (Archive)
Extracted files:
2
AV detection:
5 of 24 (20.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dm3sbevl2hceuz426xlbsrtnywtasjzgv5kavrolre3kgrihlaia._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
defense_evasion execution persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/251214-jhsw2aslhm/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Enumerates connected drives
Hide Artifacts: Hidden Window
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Malware Config
Dropper Extraction:
https://nodejs.org/dist/v22.16.0/node-v22.16.0-win-x64.zip
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/4b910eb8-a607-4bed-86ac-4a12f21daca7
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:PowerShell_in_Word_Doc_RID2FBC
Create hunting rule
Author:Florian Roth
Description:Detects a powershell and bypass keyword in a Word document
Reference:Internal Research - ME
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 1b372092abd1c44a679af5d619466dc5a6092726af540ac5cb8936a345075810

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3733103/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/44599/

Comments