MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8
SHA3-384 hash: 5a5929e64dd8abea548dc8b839d840c743aa2fed4da31c8990c2ec16a9f262437dcfb203053dbafd04ad0ecfd1a37ce7
SHA1 hash: 4872b14f1f66fba6e70c76ea2cf4146d6a998ce8
MD5 hash: c22ef8aa99d457ea51d9f5231e6872ed
humanhash: floor-ack-indigo-violet
File name:msi (13).msi
Download: download sample
File size:9'535'956 bytes
First seen:2025-04-09 13:12:58 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:xpg3Awwm7NLRPIcj9tIhxYneuYmGAwUXumHbbW7S6z4T+wW+3CPXY:IwwwyNLRwcjEfDnAwcrHc4BEXY
TLSH T1E6A6F111B3D5C131D1AA0231491DB36892BEFE714B7182CBB7982B8EAD717C1AB31B57
TrID 53.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
39.2% (.MSP) Windows Installer Patch (44509/10/5)
7.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:bestieslos-com cdn-jsdelivr-net msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1351/
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f675cdf9ba909217cdda15
Tags:
shellcode vmdetect
Verdict:
Malicious
Labled as:
Generik.FLHPNRS trojan
Link:
https://www.hybrid-analysis.com/sample/5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1660836
Signature
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660836 Sample: msi (13).msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 100 100 fg.microsoft.map.fastly.net 2->100 102 electrnolik.rest 2->102 104 b-0005.b-dc-msedge.net 2->104 124 Malicious sample detected (through community Yara rule) 2->124 126 Multi AV Scanner detection for dropped file 2->126 128 Multi AV Scanner detection for submitted file 2->128 130 2 other signatures 2->130 13 msiexec.exe 2->13         started        15 Dashboard.exe 2->15         started        18 msedge.exe 2->18         started        21 msiexec.exe 7 2->21         started        signatures3 process4 dnsIp5 24 msiexec.exe 55 13->24         started        164 Maps a DLL or memory area into another process 15->164 27 cmd.exe 15->27         started        106 239.255.255.250 unknown Reserved 18->106 30 msedge.exe 18->30         started        33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        76 C:\Users\user\AppData\Local\...\MSIC269.tmp, PE32 21->76 dropped 78 C:\Users\user\AppData\Local\...\MSIBF0C.tmp, PE32 21->78 dropped file6 signatures7 process8 dnsIp9 86 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 24->86 dropped 88 C:\Users\user\AppData\Local\...\UXCore.dll, PE32 24->88 dropped 90 C:\Users\user\AppData\Local\...\Dashboard.exe, PE32 24->90 dropped 94 3 other malicious files 24->94 dropped 37 Dashboard.exe 6 24->37         started        41 ISBEW64.exe 24->41         started        43 ISBEW64.exe 24->43         started        49 9 other processes 24->49 92 C:\Users\user\AppData\...\dblxiqqwobkmxc, PE32+ 27->92 dropped 152 Writes to foreign memory regions 27->152 154 Maps a DLL or memory area into another process 27->154 45 quickHostktq_dbgv3.exe 27->45         started        47 conhost.exe 27->47         started        118 sb.scorecardresearch.com 18.173.132.23, 443, 49741 MIT-GATEWAYSUS United States 30->118 120 131.253.33.203, 443, 49772, 49773 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->120 122 38 other IPs or domains 30->122 file10 signatures11 process12 file13 80 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 37->80 dropped 82 C:\Users\user\AppData\Roaming\...\UXCore.dll, PE32 37->82 dropped 84 C:\Users\user\AppData\...\Dashboard.exe, PE32 37->84 dropped 138 Switches to a custom stack to bypass stack traces 37->138 51 Dashboard.exe 1 37->51         started        140 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 45->140 142 Tries to harvest and steal browser information (history, passwords, etc) 45->142 54 chrome.exe 45->54         started        signatures14 process15 signatures16 132 Maps a DLL or memory area into another process 51->132 134 Switches to a custom stack to bypass stack traces 51->134 136 Found direct / indirect Syscall (likely to bypass EDR) 51->136 56 cmd.exe 5 51->56         started        process17 file18 96 C:\Users\user\...\quickHostktq_dbgv3.exe, PE32+ 56->96 dropped 98 C:\Users\user\AppData\Local\Temp\atwyisabiy, PE32+ 56->98 dropped 144 Writes to foreign memory regions 56->144 146 Found hidden mapped module (file has been removed from disk) 56->146 148 Maps a DLL or memory area into another process 56->148 150 Switches to a custom stack to bypass stack traces 56->150 60 quickHostktq_dbgv3.exe 56->60         started        64 conhost.exe 56->64         started        signatures19 process20 dnsIp21 116 electrnolik.rest 104.21.72.88, 443, 49691, 49692 CLOUDFLARENETUS United States 60->116 156 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 60->156 158 Found strings related to Crypto-Mining 60->158 160 Writes to foreign memory regions 60->160 162 4 other signatures 60->162 66 chrome.exe 60->66         started        69 msedge.exe 60->69         started        signatures22 process23 dnsIp24 108 192.168.2.10, 138, 443, 49348 unknown unknown 66->108 71 chrome.exe 66->71         started        74 msedge.exe 69->74         started        process25 dnsIp26 110 www.google.com 142.250.64.68, 443, 49702, 49703 GOOGLEUS United States 71->110 112 play.google.com 142.251.35.174, 443, 49734, 49768 GOOGLEUS United States 71->112 114 3 other IPs or domains 71->114
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8/
Threat name:
Win32.Adware.RedCap
Create hunting rule
Status:
Malicious
First seen:
2025-01-18 19:41:59 UTC
File Type:
Binary (Archive)
Extracted files:
44
AV detection:
15 of 36 (41.67%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=k4z5egwenjiruws7uvkxvs6bqxr3nirfk2knxl4ebczsimbvhhea._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery spyware stealer
Link:
https://tria.ge/reports/250409-qf5w5s1wbt/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/0f9f4551-dde1-47ee-a380-a2a8f18f1a19
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5733d21ac46a511a5a5fa5557acbc185e3b6a2255694dbaf8408b324303539c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1351/

Comments