MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6e997f7c6fe24711ca0e322a73c8ca1f309e9c6dcc7cb1b469d196836116d7fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash: 6e997f7c6fe24711ca0e322a73c8ca1f309e9c6dcc7cb1b469d196836116d7fe
SHA3-384 hash: d53dc2396a2119d91201f09c5b5cbb1d23fd1248dee98a23e8801d4cafcc986b377ef0ce78cb88f510cf0e3def40f8f8
SHA1 hash: fc578e4a8f023b4c6dc0258252160379bbf88513
MD5 hash: 41ef90fe863e7e9e46bc163944e6dce5
humanhash: dakota-potato-vegan-whiskey
File name:vc_redist.x64.msi
Download: download sample
File size:34'492'416 bytes
First seen:2026-06-17 13:17:55 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:/YB4iKdtFCSE0CrgPcKlsJaDC9F52crbrBsiA0EcJIQOVHSlB:BiKdtDE0C0VlSOUF4crHEcIQOVw
TLSH T1937733EEF43555CBD02F873EEC8189A4A1966D06ED514603721673E729F73B43AF2288
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:msi signed

Code Signing Certificate

Organisation:Duplicate File Formatter
Issuer:Duplicate File Formatter
Algorithm:sha256WithRSAEncryption
Valid from:2026-06-13T06:48:40Z
Valid to:2028-06-13T06:58:40Z
Serial number: 32e95437225e888f4f84686d107495c0
Thumbprint Algorithm:SHA256
Thumbprint: e40b223d170649a6c06003bacb80578181f6cfd84fed9a09086a0c388255d400
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence


File Origin
# of uploads :
1
# of downloads :
74
Origin country :
BE BE
Vendor Threat Intelligence
Gathering data
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug CAB crypto encrypted expired-cert fingerprint installer installer masquerade obfuscated reconnaissance short-lived-cert signed
Verdict:
Clean
File Type:
msi
First seen:
2026-06-16T15:38:00Z UTC
Last seen:
2026-06-16T16:03:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Signature
Antivirus detection for dropped file
Creates / moves files in alternative data streams (ADS)
Creates an undocumented autostart registry key
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (exiting after language check)
Joe Sandbox ML detected suspicious sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries DNS domain through GetComputerNameExW (potential sandbox evasion)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Script Execution From Temp Folder
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses WMIC command to query system information (often done to detect virtual machines)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929377 Sample: vc_redist.x64.msi Startdate: 17/06/2026 Architecture: WINDOWS Score: 100 68 store.purestack.lol 2->68 70 polygon.field-crew12.one 2->70 72 polygon-public.nodies.app 2->72 84 Suricata IDS alerts for network traffic 2->84 86 Antivirus detection for dropped file 2->86 88 Multi AV Scanner detection for dropped file 2->88 90 3 other signatures 2->90 12 msiexec.exe 84 42 2->12         started        15 msiexec.exe 3 2->15         started        signatures3 process4 file5 62 C:\Users\user\AppData\Local\...\CDmtoG.exe, PE32+ 12->62 dropped 17 cmd.exe 1 12->17         started        process6 signatures7 82 Uses WMIC command to query system information (often done to detect virtual machines) 17->82 20 CDmtoG.exe 1 17->20         started        23 conhost.exe 17->23         started        process8 signatures9 92 Uses WMIC command to query system information (often done to detect virtual machines) 20->92 25 CDmtoG.exe 8 81 20->25         started        process10 dnsIp11 78 158.94.208.44, 49710, 80 OMEGATECH-ASSC Germany 25->78 80 store.purestack.lol 104.21.72.182, 443, 49693, 49694 CLOUDFLARENET-CloudflareIncUS Canada 25->80 54 C:\Users\user\AppData\...\k1jm8zaolc.exe, PE32+ 25->54 dropped 56 C:\Users\user\AppData\...\j3rmsfwq3u.exe, PE32+ 25->56 dropped 58 C:\Users\user\...\9py2bmncuyzseuhe.node, PE32+ 25->58 dropped 60 :ui (copy), PE32+ 25->60 dropped 104 Creates / moves files in alternative data streams (ADS) 25->104 106 Tries to harvest and steal browser information (history, passwords, etc) 25->106 108 Sets debug register (to hijack the execution of another thread) 25->108 110 3 other signatures 25->110 30 k1jm8zaolc.exe 1 9 25->30         started        34 j3rmsfwq3u.exe 103 25->34         started        37 cmd.exe 1 25->37         started        39 chrome.exe 25->39         started        file12 signatures13 process14 dnsIp15 64 C:\Users\user\...\AppReadiness8bbe01.exe, PE32+ 30->64 dropped 66 :x (copy), PE32+ 30->66 dropped 112 Antivirus detection for dropped file 30->112 114 Multi AV Scanner detection for dropped file 30->114 116 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 30->116 126 3 other signatures 30->126 41 AppReadiness8bbe01.exe 30->41         started        74 polygon-public.nodies.app 104.26.4.88, 443, 49712 CLOUDFLARENET-CloudflareIncUS Canada 34->74 76 polygon.field-crew12.one 172.67.139.184, 443, 49713, 49714 CLOUDFLARENET-CloudflareIncUS Canada 34->76 118 Suspicious powershell command line found 34->118 120 Tries to steal Crypto Currency Wallets 34->120 122 Queries DNS domain through GetComputerNameExW (potential sandbox evasion) 34->122 44 powershell.exe 34->44         started        46 explorer.exe 39 1 34->46 injected 124 Uses WMIC command to query system information (often done to detect virtual machines) 37->124 48 WMIC.exe 1 37->48         started        50 conhost.exe 37->50         started        file16 signatures17 process18 signatures19 94 Antivirus detection for dropped file 41->94 96 Multi AV Scanner detection for dropped file 41->96 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 41->98 102 2 other signatures 41->102 52 conhost.exe 44->52         started        100 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 48->100 process20
Gathering data
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence privilege_escalation ransomware
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Detects videocard installed
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:telebot_framework
Author:vietdx.mb
Rule name:upxHook
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments