MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22
SHA3-384 hash: 79c1baf68df13233e5d65e26ef998de8c72bfee5685587b3b879c08c1b991c09345e6f443c3d7b3743dd5108424e9add
SHA1 hash: 2158a0a06d5efd348855b5c2bee066e90f2a9989
MD5 hash: f7d3ddebdcf42c1ff2b604376e139226
humanhash: nuts-fillet-mountain-robert
File name:5a47b1.msi
Download: download sample
File size:1'413'120 bytes
First seen:2025-05-01 19:44:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:XSq7iShO0bH7A4BjhBxT6QnmsgPoYtuOnDFy/Mo2O/nisBtolFh9aS3SekT1QPfU:XSj0bHc4BpzV6fSis0LaSsT1Uw
Threatray 2 similar samples on MalwareBazaar
TLSH T1096533C27E915135C7070237382BF58E7E395C6A9999075833A8B169BDF5E1BE8F28C0
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
114
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/5639/
Detection(s):
SecuriteInfo.com.FileRepMalware.26111.3173.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6813d1be4355f44aee6801b6
Tags:
korplug plugx virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer korplug
Link:
https://www.filescan.io/uploads/6813cf440b64e174c413acab/reports/a940df25-68a0-4c22-b782-12a81e59deb7/overview
Verdict:
Malicious
Labled as:
TR/Korplug.rwqyk
Link:
https://www.hybrid-analysis.com/sample/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1679393
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
31%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22/
Threat name:
Win32.Trojan.Korplug
Create hunting rule
Status:
Malicious
First seen:
2025-05-01 19:45:11 UTC
File Type:
Binary (Archive)
Extracted files:
29
AV detection:
15 of 36 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kshro7ypwvb6uzryfqieqbxerqpqvwhjjg4njfliodeevo2g74ra._file
Verdict:
malicious
Label(s):
doplugs
Create hunting rule
Similar samples:
51d38688ae91d2f1dd91a042861073491989b2cbcd4a85ab6ff92948c2d1ddf9
error
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250501-yge14sfm5y/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/bb68239c-d288-4a0f-b5ae-bdb38c9d0910
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/548f177f0fb543ea66382c104806e48c1f0ad8e949b8d4956870c84abb46ff22

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/5639/

Comments