MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd
SHA3-384 hash: 491a6472197ca39d8590f1ee3885d9a1beb85ff7eb2066d14f1918e5c8e5075a0b7ce1d801de823244baeebfb97b2844
SHA1 hash: 8324bbec627667dedb3b10942d4ba14899b9031e
MD5 hash: cc8e040f1bf728a9083135e601f86ab4
humanhash: crazy-avocado-rugby-single
File name:UXVRUZMQ.msi
Download: download sample
File size:4'972'544 bytes
First seen:2025-04-08 09:23:22 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:uy0/3pEgfdTT+ibk/8CmeuUTGfMrPogBJXfWFMpThJOdd/vG8LkGm:uD3pdf9+ibWL1unkP7BJXffhJOdVGMkz
TLSH T165363346F6A04924C0251B7CE8938CBBE52E7D217E5FD0A71886F1CA5F36017BD7A683
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
NL NL
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f4ec06e011fe619fad3419
Tags:
ransomware infosteal shell sage
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expired-cert installer wix
Link:
https://www.filescan.io/uploads/67f4eb432d430c849e0ca25c/reports/0e52928d-1747-42d9-ba4c-420aee1a2ca7/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1659193
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an autostart registry key pointing to binary in C:\Windows
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1659193 Sample: UXVRUZMQ.msi Startdate: 08/04/2025 Architecture: WINDOWS Score: 100 74 uno-cdn-update.buzz 2->74 76 medoloki9.shop 2->76 78 3 other IPs or domains 2->78 96 Malicious sample detected (through community Yara rule) 2->96 98 Multi AV Scanner detection for submitted file 2->98 100 Yara detected UAC Bypass using CMSTP 2->100 102 Joe Sandbox ML detected suspicious sample 2->102 10 DDMService.exe 10 2->10         started        14 steamerrorreporter.exe 2->14         started        16 msedge.exe 2->16         started        19 10 other processes 2->19 signatures3 process4 dnsIp5 60 C:\Users\user\AppData\Local\...\ReaderTls.exe, PE32+ 10->60 dropped 62 C:\Users\user\AppData\Local\Temp\lxpav, PE32+ 10->62 dropped 118 Found hidden mapped module (file has been removed from disk) 10->118 120 Maps a DLL or memory area into another process 10->120 122 Switches to a custom stack to bypass stack traces 10->122 124 Found direct / indirect Syscall (likely to bypass EDR) 10->124 21 ReaderTls.exe 2 2 10->21         started        25 cmd.exe 3 2 10->25         started        27 cmd.exe 10->27         started        64 C:\Users\user\AppData\Local\...\odywlepkvdxs, PE32+ 14->64 dropped 29 cmd.exe 14->29         started        66 239.255.255.250 unknown Reserved 16->66 31 msedge.exe 16->31         started        33 msedge.exe 16->33         started        35 msedge.exe 16->35         started        file6 signatures7 process8 dnsIp9 80 uno-cdn-update.buzz 104.21.32.217, 443, 49699, 49700 CLOUDFLARENETUS United States 21->80 82 medoloki9.shop 172.67.148.218, 443, 49702 CLOUDFLARENETUS United States 21->82 104 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->104 106 Found many strings related to Crypto-Wallets (likely being stolen) 21->106 108 Tries to harvest and steal browser information (history, passwords, etc) 21->108 114 5 other signatures 21->114 37 chrome.exe 21->37         started        41 msedge.exe 21->41         started        110 Switches to a custom stack to bypass stack traces 25->110 43 Acrobat.exe 8 64 25->43         started        45 conhost.exe 25->45         started        47 conhost.exe 27->47         started        84 cdn-upload-files.buzz 104.21.112.1, 49824, 80 CLOUDFLARENETUS United States 29->84 112 Creates an autostart registry key pointing to binary in C:\Windows 29->112 86 sb.scorecardresearch.com 18.164.96.18, 443, 49754, 49764 MIT-GATEWAYSUS United States 31->86 88 ax-0003.ax-msedge.net 150.171.28.12, 443, 49750 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 31->88 90 32 other IPs or domains 31->90 signatures10 process11 dnsIp12 92 192.168.2.13 unknown unknown 37->92 94 192.168.2.5, 138, 443, 49387 unknown unknown 37->94 116 Found many strings related to Crypto-Wallets (likely being stolen) 37->116 49 chrome.exe 37->49         started        52 chrome.exe 37->52         started        54 msedge.exe 41->54         started        56 AcroCEF.exe 104 43->56         started        signatures13 process14 dnsIp15 68 www.google.com 142.251.41.4, 443, 49708, 49711 GOOGLEUS United States 49->68 70 plus.l.google.com 49->70 72 5 other IPs or domains 49->72 58 AcroCEF.exe 2 56->58         started        process16
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eigr4mvmjhydwt57xkhd7d37asqk5saum3zyo7jc4bdrkqhkig6q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250408-lc68kssps4/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/994f3b5c-9a1a-4c35-98ff-29d408a89b24
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/220d1e32ac49/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_detect_tls_callbacks
Create hunting rule
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 220d1e32ac49f03b4fbfba8e3f8f7f04a0aec81466f3877d22e0471540ea41bd

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3504169/
  
Delivery method
Distributed via web download

Comments