MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d
SHA3-384 hash: fbb367596d6395232febe7be28b066043aec0587dc027d4f9b56845e244d9122f5df0cf46bf202e231507cdc13dc7365
SHA1 hash: e3434fc9726af64c109a2ac4997b01d642b7c8a0
MD5 hash: 25100ac14929a5c873bf08b77a8d5ea6
humanhash: november-aspen-cardinal-mike
File name:Yeromas.msi
Download: download sample
File size:80'731'792 bytes
First seen:2026-02-04 10:34:56 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:2B5owUZsPlFsl+Ei6EJ5hwkxyTC91KFkfovMBBQnGrZ6g6b+lts:25owTA9irpwycYMkfovABQK6bWs
TLSH T16D083303BF46A164CA9D0E7F107B2B25472CBE40A06F66536B3931EED9F8EC1289D5C5
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter burger
Tags:msi SilentStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
38
Origin country :
NL NL
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/31bb5e60-7eac-459f-a221-75dc423561cc/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=698320b66b1af47db72cb70d
Tags:
n/a
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
File Type:
msi
Link:
https://opentip.kaspersky.com/7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1863180
Signature
Excessive usage of taskkill to terminate processes
Found pyInstaller with non standard icon
Potential malicious VBS script found (suspicious strings)
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal communication platform credentials (via file / registry access)
Unusual module load detection (module proxying)
Uses taskkill to terminate AV processes
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1863180 Sample: Yeromas.msi Startdate: 04/02/2026 Architecture: WINDOWS Score: 40 75 shed.dual-low.part-0012.t-0009.t-msedge.net 2->75 77 pypi.org 2->77 79 10 other IPs or domains 2->79 91 Sigma detected: WScript or CScript Dropper 2->91 93 Sigma detected: Rare Remote Thread Creation By Uncommon Source Image 2->93 11 msiexec.exe 23 2->11         started        14 msiexec.exe 363 342 2->14         started        signatures3 process4 file5 103 Potential malicious VBS script found (suspicious strings) 11->103 17 wscript.exe 1 11->17         started        67 C:\Users\user\AppData\Local\...\Yeromas.exe, PE32+ 14->67 dropped 69 C:\Users\user\AppData\...\WinUpdateTask.vbs, ASCII 14->69 dropped 71 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 14->71 dropped 73 20 other files (none is malicious) 14->73 dropped signatures6 process7 signatures8 89 Windows Scripting host queries suspicious COM object (likely to drop second stage) 17->89 20 Yeromas.exe 1006 17->20         started        25 conhost.exe 17->25         started        27 taskkill.exe 17->27         started        process9 dnsIp10 81 gcp-us-west1-1.origin.onrender.com.cdn.cloudflare.net 216.24.57.7, 443, 49702, 49727 RENDERUS United States 20->81 83 a918.dscr.akamai.net 23.219.36.74, 443, 49700 AKAMAI-ASN1EU United States 20->83 85 192.168.2.5, 137, 138, 443 unknown unknown 20->85 59 C:\Users\user\AppData\Local\...\python.exe, PE32+ 20->59 dropped 61 C:\Users\user\AppData\Local\...\python310.dll, PE32+ 20->61 dropped 63 C:\Users\user\AppData\...\api_check_9596.py, Python 20->63 dropped 65 783 other files (none is malicious) 20->65 dropped 95 Uses taskkill to terminate AV processes 20->95 97 Tries to harvest and steal browser information (history, passwords, etc) 20->97 99 Excessive usage of taskkill to terminate processes 20->99 101 3 other signatures 20->101 29 cmd.exe 20->29         started        32 cmd.exe 20->32         started        34 cmd.exe 20->34         started        36 81 other processes 20->36 file11 signatures12 process13 dnsIp14 105 Excessive usage of taskkill to terminate processes 29->105 39 conhost.exe 29->39         started        41 taskkill.exe 29->41         started        43 conhost.exe 32->43         started        45 taskkill.exe 32->45         started        47 conhost.exe 34->47         started        49 taskkill.exe 34->49         started        87 pypi.org 151.101.192.223, 443, 49706, 49707 FASTLYUS United States 36->87 51 net.exe 36->51         started        53 conhost.exe 36->53         started        55 153 other processes 36->55 signatures15 process16 process17 57 net1.exe 51->57         started       
Gathering data
Verdict:
Clean
Link:
https://tip.neiki.dev/file/7cfecc3e9ac8b904f2a93952bd9bf2e87bc21677560251fd6316fe693337412d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=pt7mypu2zc4qj4vjhfjl3g7s5b54eftxkybfd7ldc37gsmzxiewq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260204-mmxybses8e/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments