MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373
SHA3-384 hash: 97649c82293425b8e11008196181f6eebcce8a2165310fe3d7fd9b1b0e248f3ae29be22a4b2543438adb5dda893e54aa
SHA1 hash: a7e7707df7238fe079cece0d367a2dc05abf6ecd
MD5 hash: 3f1b43d534681d4d5d250277c4f0ff78
humanhash: floor-april-berlin-don
File name:verification.msi
Download: download sample
File size:64'467'456 bytes
First seen:2025-07-12 17:35:16 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:eF5mgISC+5qIhq6xOTZA6gtYt+MvJYwTsKK:38++EGWsK
TLSH T157E77C01B3FA4108F2F75EB17EBA99A5947ABD521B30C0EF1204664E1A71BC25BB1773
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
19
Origin country :
SE SE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68729cfec9eb974737689991
Tags:
malware
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1734812
Signature
Bypasses PowerShell execution policy
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1734812 Sample: verification.msi Startdate: 12/07/2025 Architecture: WINDOWS Score: 60 47 trobersound.com 2->47 53 Suricata IDS alerts for network traffic 2->53 55 Sigma detected: Suspicious Script Execution From Temp Folder 2->55 57 Sigma detected: Script Interpreter Execution From Suspicious Folder 2->57 9 msiexec.exe 204 168 2->9         started        12 msiexec.exe 3 2->12         started        signatures3 process4 file5 35 C:\Windows\Installer\MSI99BE.tmp, PE32 9->35 dropped 37 C:\Windows\Installer\MSI9112.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSI7490.tmp, PE32 9->39 dropped 41 113 other files (none is malicious) 9->41 dropped 14 msiexec.exe 23 9->14         started        19 cmd.exe 1 9->19         started        21 7z.exe 1 9->21         started        23 clipx.exe 2 9->23         started        process6 dnsIp7 49 trobersound.com 104.21.80.1, 443, 49689 CLOUDFLARENETUS United States 14->49 43 C:\Users\user\AppData\Local\...\scr74FB.ps1, Unicode 14->43 dropped 45 C:\Users\user\AppData\Local\...\pss750C.ps1, Unicode 14->45 dropped 51 Bypasses PowerShell execution policy 14->51 25 powershell.exe 17 14->25         started        27 conhost.exe 19->27         started        29 timeout.exe 1 19->29         started        31 conhost.exe 21->31         started        file8 signatures9 process10 process11 33 conhost.exe 25->33         started       
Score:
31%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373
Gathering data
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/5903da3b84c0cb7de793daae5aec0abb60461f81f8bd6a8381d5894e4eb92373
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=leb5uo4eydfx3z4t3kxfv3akxnqemh4b7c6wva4b2weu4tvzenzq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
defense_evasion discovery execution persistence privilege_escalation upx
Link:
https://tria.ge/reports/250712-v6bhfatwcw/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
UPX packed file
Blocklisted process makes network request
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/a4341399-200d-486e-8dbb-ad2ba8033711
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments