MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0
SHA3-384 hash: c1426ca75ee43224e4fc4eb6175348681f63f00b55b8b66f7f17a86efbfc752371a5bbb4d4158aef53a495412f8dd8bf
SHA1 hash: b3c0d52b416534a393c7565be2cc1c76da1f2e03
MD5 hash: ce0eb1fb5b7dfc6af5f16ecc46be0421
humanhash: yellow-sad-eleven-massachusetts
File name:droveqx_menu.msi
Download: download sample
File size:30'676'992 bytes
First seen:2026-04-01 14:22:53 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:ktJY6HUrxadrBGH+qdlLzUG0qBWwe23oMzdeTVP/IHrmT:mY6HwEQz30qfr3oMz6N46T
TLSH T17E6733B7958DAF3CCA518D3628BC6F2C00DB3510846AC05FC29CFC75A593E4ABE74699
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika unknown
Reporter smica83
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69cd2a5a6363ca5d27f09951
Tags:
obfuscate autorun shell sage
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1892172
Signature
AI detected malicious Powershell script
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Injects a PE file into a foreign processes
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Powershell drops PE file
Queries Google from non browser process on port 80
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schedule system process
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Suricata IDS alerts for network traffic
Suspicious powershell command line found
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Unusual module load detection (module proxying)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Powershell decode and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1892172 Sample: droveqx_menu.msi Startdate: 01/04/2026 Architecture: WINDOWS Score: 100 97 release-assets.githubusercontent.com 2->97 99 raw.githubusercontent.com 2->99 101 5 other IPs or domains 2->101 117 Suricata IDS alerts for network traffic 2->117 119 Malicious sample detected (through community Yara rule) 2->119 121 Yara detected Powershell decode and execute 2->121 123 8 other signatures 2->123 12 conhost.exe 2->12         started        14 msiexec.exe 77 37 2->14         started        17 conhost.exe 2->17         started        19 3 other processes 2->19 signatures3 process4 file5 21 powershell.exe 23 1002 12->21         started        89 C:\Users\user\AppData\Local\...\error.vbs, ASCII 14->89 dropped 91 C:\Users\user\AppData\...\delta_module39.ps1, ASCII 14->91 dropped 26 cmd.exe 1 14->26         started        28 wscript.exe 14->28         started        30 deno.exe 17->30         started        32 deno.exe 19->32         started        process6 dnsIp7 103 github.com 140.82.112.4, 443, 49726, 49729 GITHUBUS United States 21->103 105 codeload.github.com 140.82.114.10, 443, 49727 GITHUBUS United States 21->105 107 3 other IPs or domains 21->107 79 C:\Users\user\scoop\apps\...\validator.exe, PE32 21->79 dropped 81 C:\Users\user\scoop\...\Scoop.Validator.dll, PE32 21->81 dropped 83 C:\Users\user\scoop\...83ewtonsoft.Json.dll, PE32 21->83 dropped 85 11 other malicious files 21->85 dropped 125 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 21->125 127 Loading BitLocker PowerShell Module 21->127 129 Powershell drops PE file 21->129 34 deno.exe 21->34         started        36 csc.exe 21->36         started        39 attrib.exe 21->39         started        131 Uses schtasks.exe or at.exe to add and modify task schedules 26->131 41 conhost.exe 26->41         started        44 schtasks.exe 1 26->44         started        46 schtasks.exe 1 26->46         started        file8 signatures9 process10 file11 48 deno.exe 34->48         started        77 C:\Users\user\AppData\Local\...\5iosoeev.dll, PE32 36->77 dropped 53 cvtres.exe 36->53         started        143 Bypasses PowerShell execution policy 41->143 signatures12 process13 dnsIp14 93 199.91.220.142, 49732, 49734, 49735 AMCUS United States 48->93 95 dl-deno-land.deno-cf.net 172.67.198.112, 443, 49733, 49736 CLOUDFLARENETUS United States 48->95 75 C:\Users\user\AppData\Roaming\609da37.js, ASCII 48->75 dropped 109 Suspicious powershell command line found 48->109 111 Tries to detect virtualization through RDTSC time measurements 48->111 113 Unusual module load detection (module proxying) 48->113 115 Queries Google from non browser process on port 80 48->115 55 deno.exe 48->55         started        59 powershell.exe 48->59         started        file15 signatures16 process17 file18 87 C:\Users\user\AppData\...\cookies.sqlite-shm, data 55->87 dropped 133 Tries to harvest and steal browser information (history, passwords, etc) 55->133 135 Writes to foreign memory regions 55->135 137 Allocates memory in foreign processes 55->137 141 3 other signatures 55->141 61 cmd.exe 55->61         started        63 cmd.exe 55->63         started        65 cmd.exe 55->65         started        67 2 other processes 55->67 139 Creates autostart registry keys with suspicious names 59->139 signatures19 process20 process21 69 powershell.exe 61->69         started        71 powershell.exe 63->71         started        73 powershell.exe 65->73         started       
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0
Gathering data
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pm2hzxhtp3yw5hvehrevmmheonwpwhzfv6qvftgn6wrrazpiodya._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260401-rp93wsds6r/
Behaviour
Checks SCSI registry key(s)
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Contacts third-party web service commonly abused for C2
Enumerates connected drives
Badlisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7b347cdcf37ef16e9ea43c495630e4736cfb1f25afa152cccdf5a31065e870f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Suspicious_Process
Create hunting rule
Author:Security Research Team
Description:Suspicious process creation
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments