MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21
SHA3-384 hash: 54aab25f83266fbef368608a130806d09da0f251e1153445ac645b459822eaef748b03633512c3cd61119ad9faad1839
SHA1 hash: 5ffe175d9cf457d61cda71e0974e57e3dfe1b77e
MD5 hash: bc7b9acee0db48efa0a9bc795fa4ec5c
humanhash: robin-social-lemon-delaware
File name:installer2.msi
Download: download sample
File size:17'068'032 bytes
First seen:2026-01-16 19:10:08 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:0OI7iAOCTM/Pc2l7mREWbFSAv9c97mqdlK66kp:0OwJM/VZisCc9Xdk
TLSH T16907338EF4DA2AB7C9C35BB9C216991E932C3DB21E40C5DEE62432709CF00F5A6F6545
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:banker msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
42
Origin country :
CH CH
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/0a970f72-65d9-4f94-8b0b-c1d9f802c1ca/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/49122/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=696a7fd5ef906a21abcdcd61
Tags:
shellcode backdoor dropper
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug fingerprint installer installer keylogger obfuscated
Link:
https://www.filescan.io/uploads/696a8d3c584f1963ad57a9d8/reports/577186d5-8d2c-4a26-82a1-57ffb12ba8b1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-16T16:38:00Z UTC
Last seen:
2026-01-17T09:03:00Z UTC
Hits:
~10
Detections:
Trojan-Banker.Win32.Agent.sba HEUR:Trojan.Script.Generic Trojan-Banker.Agent.HTTP.C&C
Link:
https://opentip.kaspersky.com/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/results?tab=lookup
Result
Threat name:
Brazilian Banker
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1852265
Signature
Multi AV Scanner detection for submitted file
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected Brazilian Banker
Behaviour
Behavior Graph:
Download SVG
Score:
56%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21/
Verdict:
Malicious
Threat:
Trojan-Banker.Win32.Agent
Link:
https://tip.neiki.dev/file/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fs5pyyd4lu4krenlrf4z7gfww5klkglqn23fs7smj4wu636f3mqq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation ransomware spyware stealer
Link:
https://tria.ge/reports/260116-xvpxsset5c/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Checks installed software on the system
Enumerates connected drives
Looks up external IP address via web service
Executes dropped EXE
Reads user/profile data of web browsers
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/01508566-661f-4367-9fe8-e969b901c45c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Visual Basic Script (vbs) vbs 9ca066cbd40b0c99d1059467d61501e95900ce3fb0ce197736048dc5d05606d4

zip 614ba1acb334bf24a690ec2b75bd749baa05095cf2faf86a93d49ce69fad57bd

Microsoft Software Installer (MSI) msi 2cbafc607c5d38a891ab89799f98b6b754b519706eb6597e4c4f2d4f6fc5db21

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3759148/
  
Dropped by
MD5 620f2d3525d119276acef8b8deba4422
  
Dropped by
SHA256 614ba1acb334bf24a690ec2b75bd749baa05095cf2faf86a93d49ce69fad57bd
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/49122/

Comments