MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76ccd85ab8f28058a926eb8d2ea07dd7572896046dd1ae742ec453e1da9213e4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



WebViewRMM


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments

SHA256 hash: 76ccd85ab8f28058a926eb8d2ea07dd7572896046dd1ae742ec453e1da9213e4
SHA3-384 hash: 78e8445a2c00afd2223e82ce252d8b52e82ec1b3c0ccaa9a56663bf6ba1817d51ce2279bdc10a7d8c0ec5a8637bd5213
SHA1 hash: a36d8c8cabf68c9e29834d662e490655006808b0
MD5 hash: ff1e1cd1779e62d3ed843d567414f3b4
humanhash: oxygen-sodium-minnesota-uniform
File name:WebViewRuntime.msi.bin
Download: download sample
Signature WebViewRMM
File size:5'336'576 bytes
First seen:2026-06-16 19:42:34 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:p9VCx+s9WecPr0eLAoroqOPudGSJuxkSVRO4ky7G6lZ3QEZUtQLQTqI4y+LnUSwH:p9VCosyhAoroqTdGSyVR+y7dlrkVTqIL
TLSH T1763633276CCA2E7EC22C95748675952C01062D123F0EA593A68E7B8D37BB37193DD34E
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika ppt
Reporter johnk3r
Tags:kelkel-rmtdelek-digital latam msi rmm WebViewRMM

Intelligence


File Origin
# of uploads :
1
# of downloads :
81
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
base64 CAB expand golang installer lolbin masquerade packed wix
Result
Threat name:
GO Stealer
Detection:
malicious
Classification:
troj
Score:
52 / 100
Signature
Installs new ROOT certificates
Yara detected GO Stealer
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1929045 Sample: WebViewRuntime.msi.bin.msi Startdate: 16/06/2026 Architecture: WINDOWS Score: 52 37 kelkel.rmtdelek.digital 2->37 41 Yara detected GO Stealer 2->41 8 edgewebdiew.exe 8 3 2->8         started        12 msiexec.exe 76 29 2->12         started        15 msiexec.exe 5 2->15         started        signatures3 process4 dnsIp5 39 kelkel.rmtdelek.digital 104.21.78.39, 443, 49682 CLOUDFLARENET-CloudflareIncUS Canada 8->39 43 Installs new ROOT certificates 8->43 17 tasklist.exe 1 8->17         started        19 tasklist.exe 1 8->19         started        21 tasklist.exe 1 8->21         started        23 2 other processes 8->23 35 C:\Program Files\webview\edgewebdiew.exe, PE32+ 12->35 dropped file6 signatures7 process8 process9 25 conhost.exe 17->25         started        27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 23->33         started       
Gathering data
Threat name:
Win64.Trojan.Generic
Status:
Suspicious
First seen:
2026-06-16 19:43:32 UTC
File Type:
Binary (Archive)
Extracted files:
1
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation ransomware
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Program Files directory
Drops file in Windows directory
Enumerates processes with tasklist
Enumerates connected drives
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments