MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb
SHA3-384 hash: 579c69cac692e81b87d3a3b8f0c1dc91874f4708d4f91a25724abbec29a522149f0d2dd30c252dc352b2c3d8bfd77c04
SHA1 hash: 02376a9f4f7b46476d0c8b4d89702239d875908a
MD5 hash: 12dd6e839ec40a044e02c652737f8003
humanhash: lithium-ohio-steak-eleven
File name:msi (21).msi
Download: download sample
File size:4'878'336 bytes
First seen:2025-04-09 13:14:15 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:liEwU8fq3X4PaT7+vfjwcRRBFa1oTn/lLkiLuMihGVwk:liumq4PaunEcLLfTnR7XaGVwk
TLSH T1D3363364B59AE33FCDC7D639C09258D4C74EDD56DFCF0F422204F6A2267522F26889A8
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:bestieslos-com cdn-jsdelivr-net msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1357/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f675e571beff15dcce2bdc
Tags:
shellcode spawn micro
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer wix
Link:
https://www.filescan.io/uploads/67f672e52d430c849e0f3e47/reports/cd08e472-0103-45c2-9860-5e32403031d2/overview
Verdict:
Suspicious
Labled as:
Generik.GKRLTVC trojan
Link:
https://www.hybrid-analysis.com/sample/3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1660850
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660850 Sample: msi (21).msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 100 91 quitarlosi.cfd 2->91 119 Malicious sample detected (through community Yara rule) 2->119 121 Multi AV Scanner detection for dropped file 2->121 123 Multi AV Scanner detection for submitted file 2->123 125 Joe Sandbox ML detected suspicious sample 2->125 12 msiexec.exe 80 40 2->12         started        15 SplashWin.exe 1 2->15         started        18 msedge.exe 2->18         started        21 msiexec.exe 3 2->21         started        signatures3 process4 dnsIp5 81 C:\Users\user\AppData\Local\...\SplashWin.exe, PE32 12->81 dropped 83 C:\Users\user\AppData\...\vcruntime140.dll, PE32 12->83 dropped 85 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32 12->85 dropped 87 C:\Users\user\AppData\Local\...\DuiLib_u.dll, PE32 12->87 dropped 23 SplashWin.exe 7 12->23         started        151 Maps a DLL or memory area into another process 15->151 27 cmd.exe 2 15->27         started        93 192.168.2.26 unknown unknown 18->93 95 239.255.255.250 unknown Reserved 18->95 29 msedge.exe 18->29         started        32 msedge.exe 18->32         started        34 msedge.exe 18->34         started        file6 signatures7 process8 dnsIp9 67 C:\Users\user\AppData\...\vcruntime140.dll, PE32 23->67 dropped 69 C:\Users\user\AppData\...\msvcp140.dll, PE32 23->69 dropped 71 C:\Users\user\AppData\...\SplashWin.exe, PE32 23->71 dropped 73 C:\Users\user\AppData\...\DuiLib_u.dll, PE32 23->73 dropped 135 Switches to a custom stack to bypass stack traces 23->135 137 Found direct / indirect Syscall (likely to bypass EDR) 23->137 36 SplashWin.exe 1 23->36         started        75 C:\Users\user\AppData\Local\Temp\vxcttuytdh, PE32+ 27->75 dropped 139 Writes to foreign memory regions 27->139 141 Maps a DLL or memory area into another process 27->141 39 cloudPatchv1.exe 27->39         started        41 conhost.exe 27->41         started        105 a-0003.a-msedge.net 204.79.197.203, 443, 49727, 49728 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->105 107 204.79.197.219, 443, 49795, 49796 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->107 109 15 other IPs or domains 29->109 file10 signatures11 process12 signatures13 127 Maps a DLL or memory area into another process 36->127 129 Switches to a custom stack to bypass stack traces 36->129 131 Found direct / indirect Syscall (likely to bypass EDR) 36->131 43 cmd.exe 5 36->43         started        133 Tries to harvest and steal browser information (history, passwords, etc) 39->133 47 chrome.exe 39->47         started        process14 file15 77 C:\Users\user\AppData\Local\Temp\wnwavh, PE32+ 43->77 dropped 79 C:\Users\user\AppData\...\cloudPatchv1.exe, PE32+ 43->79 dropped 143 Writes to foreign memory regions 43->143 145 Found hidden mapped module (file has been removed from disk) 43->145 147 Maps a DLL or memory area into another process 43->147 149 Switches to a custom stack to bypass stack traces 43->149 49 cloudPatchv1.exe 43->49         started        53 conhost.exe 43->53         started        signatures16 process17 dnsIp18 89 quitarlosi.cfd 104.21.96.1, 443, 49694, 49695 CLOUDFLARENETUS United States 49->89 111 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 49->111 113 Found strings related to Crypto-Mining 49->113 115 Writes to foreign memory regions 49->115 117 4 other signatures 49->117 55 chrome.exe 49->55         started        58 msedge.exe 49->58         started        signatures19 process20 dnsIp21 97 192.168.2.5, 138, 443, 49361 unknown unknown 55->97 60 chrome.exe 55->60         started        63 chrome.exe 55->63         started        65 msedge.exe 58->65         started        process22 dnsIp23 99 play.google.com 142.250.64.78, 443, 49717, 49736 GOOGLEUS United States 60->99 101 plus.l.google.com 142.250.65.238, 443, 49715 GOOGLEUS United States 60->101 103 3 other IPs or domains 60->103
Score:
8%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-10 17:46:55 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=himjapph3btk2jymig2hzfmuafboblxgxloc45voo4hwdn3jv75q._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250409-qhdkns1wfv/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f29cf048-71f5-486e-a90f-b335126a271c
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3a18903de7d866ad270c41b47c95940142e0aee6badc2e76ae770f61b769affb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1357/

Comments