MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0
SHA3-384 hash: a582df3f692c3d9baf5e85b58817616f7603fe6c6b0d5aa9e8d4f12c2dd4df7627badbb4448e6d282a5f4f12b502b88f
SHA1 hash: 8f2ff2548bf4104133a0e49db40cb3b506c1d607
MD5 hash: 846a9253c6a4f241b210a2ccf630b43f
humanhash: sink-mockingbird-ten-delaware
File name:PotatoIчnstaller.msi
Download: download sample
File size:57'361'920 bytes
First seen:2026-01-25 08:32:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:DgelxO5dafIXLv7f9mgv7P/a+wRN/axIV4Jo/IZe:DxgyW7Fmgvu+MNSIVabZ
Threatray 651 similar samples on MalwareBazaar
TLSH T1E0C73331B2767995D61F53BFE0A85FD840307DE1B31BDA6B63783FA589B064260B2903
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter zhuzhu0009
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
32
Origin country :
JP JP
Vendor Threat Intelligence
Details
Link:
https://research.acce.ciphertechsolutions.com/results/8f1d4fe9-118b-4543-8d71-faf303a94c0f/
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6975d5676fa3eed1652e87e9
Tags:
virus spawn hype
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug at base64 CAB cmd expired-cert expired-cert fingerprint installer large-file lolbin wix
Link:
https://www.filescan.io/uploads/6975d55cc67009fca91d3d26/reports/3d295d94-1c9a-44ec-b5d9-93884e73ef60/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-25T06:16:00Z UTC
Last seen:
2026-01-26T15:35:00Z UTC
Hits:
~10
Detections:
Trojan.Win64.Agent.smfkbv Trojan.Win32.Autorun.gen Trojan.Win32.DLLhijack.sb Trojan.Win64.DllHijack.sb BSS:Trojan.Win32.Generic Trojan.Win64.Agent.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Inject.sb Trojan.Win32.Agent.sb Trojan.OLE2.Agent.sb Trojan.Win32.DLLhijack.adqw Trojan.Win64.DLLhijack.cfl HEUR:Trojan-Dropper.OLE2.Agent.gen
Link:
https://opentip.kaspersky.com/7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0/results?tab=lookup
Score:
54%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.DLLhijack
Link:
https://tip.neiki.dev/file/7e90d6ba18a3be40de5d4c65e576b21b037f0ecf89bd5d0e7f2f0dee1c2c42f0
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p2innoqyuo7ebxs5jrs6k5vsdmbx6dwprg6v2dt7f4g64hbmilya._file
Verdict:
malicious
Label(s):
donutloader
Create hunting rule
Similar samples:
480fc5d1e6a75c460ad7e654600210a2b67a344f3cd4d47a34a22470fbf1ac40
560ac051ba7e544ad7eecba19fdde685cfe538e68e5f721aa61a095b223c9436
77576ae75f5e8139698a78a431dfeffb182998850020a4b1328a7d3b01c9b9e8
dc3f65a78d171f91d2309592cd4d3528cad11d0fe5fe3ae6232150961e3960a8
ef18188e4350786183d2f488ac6d4649a4c9100f328d0e487b9ec78552b9d69d
error
f6fb51b18c7f3e118798acbaba51fb18f813ae0678dd6f6eba735115bdd8fd88
+ 641 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260125-kf42ysev8h/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Malware family:
ValleyRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/7e90d6ba18a3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments