MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85
SHA3-384 hash: 194a751f633d1de50ce69f0dd57a8145dfb504913d62f8a09115c8b64db3239345d9feeb27e5526317c96b67bc045348
SHA1 hash: d0bd48e7d2a0dcca3d22470b1110d7373c74f143
MD5 hash: d95e853335aec1f405d38b8a42655642
humanhash: louisiana-hot-aspen-stream
File name:AmongusModdedInstaller-Portable-2.1.7.exe
Download: download sample
File size:78'877'642 bytes
First seen:2025-10-09 11:44:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b34f154ec913d2d2c435cbd644e91687 (533 x GuLoader, 110 x RemcosRAT, 80 x EpsilonStealer)
ssdeep 1572864:qSnyLU23Cg0qkkmVdAhV5x3kC3Ot7CHMFXWRSBzs8Y7J1cgiH5LZk69Ct7pB77:qeyLUgWVKx3Let74iaJAHX9C9z77
TLSH T1A10833896770FB33DCC05B7956BC21E24DDD59BB792DA4F6149586C2FC029A22A3E303
TrID 47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13)
15.9% (.EXE) Win64 Executable (generic) (10522/11/4)
9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
7.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
6.8% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
Reporter burger
Tags:exe infostealer stealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
NL NL
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
AmongusModdedInstaller-Portable-2.1.7.exe
Verdict:
Suspicious activity
Analysis date:
2025-10-09 11:13:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ba3ea612-9683-4a75-bbae-19ef37387962

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
94.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=68e798c97f305fa2545de986
Tags:
vmdetect extens shell sage
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Searching for the window
Сreating synchronization primitives
Sending a custom TCP request
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Adding an exclusion to Microsoft Defender
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-debug blackhole crypto installer microsoft_visual_cc nsis overlay
Link:
https://www.filescan.io/uploads/68e7a02ff377ab2310550fca/reports/70a5db08-cd6d-4771-aa1f-eab7139bd96f/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85
Verdict:
Clean
File Type:
exe x32
First seen:
2025-10-09T08:38:00Z UTC
Last seen:
2025-10-09T09:04:00Z UTC
Hits:
~10
Link:
https://opentip.kaspersky.com/7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1792066
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for URL or domain
Attempt to bypass Chrome Application-Bound Encryption
Disables security and backup related services
Disables Windows Defender (via service or powershell)
Drops large PE files
Found pyInstaller with non standard icon
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Modifies Windows Defender protection settings
Sigma detected: Potential Data Stealing Via Chromium Headless Debugging
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Powershell Defender Disable Scan Feature
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Suspicious Windows Service Tampering
Sigma detected: WScript or CScript Dropper
Tries to harvest and steal browser information (history, passwords, etc)
Uses known network protocols on non-standard ports
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1792066 Sample: AmongusModdedInstaller-Port... Startdate: 09/10/2025 Architecture: WINDOWS Score: 100 96 www.myexternalip.com 2->96 98 pypi.org 2->98 100 5 other IPs or domains 2->100 116 Antivirus detection for URL or domain 2->116 118 Sigma detected: Powershell Defender Disable Scan Feature 2->118 120 Uses known network protocols on non-standard ports 2->120 122 7 other signatures 2->122 11 AmongusModdedInstaller-Portable-2.1.7.exe 279 2->11         started        15 msedge.exe 2->15         started        signatures3 process4 dnsIp5 88 C:\Users\user\...\AmongusModdedInstaller.exe, PE32+ 11->88 dropped 90 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 11->90 dropped 92 C:\Users\user\AppData\Local\...\System.dll, PE32 11->92 dropped 94 10 other files (none is malicious) 11->94 dropped 138 Drops large PE files 11->138 18 AmongusModdedInstaller.exe 1002 11->18         started        114 239.255.255.250 unknown Reserved 15->114 140 Maps a DLL or memory area into another process 15->140 23 msedge.exe 15->23         started        25 msedge.exe 15->25         started        27 msedge.exe 15->27         started        file6 signatures7 process8 dnsIp9 102 198.1.195.210, 3000, 49774 CRONOMAGIC-1CA Canada 18->102 104 discord.com 162.159.136.232, 443, 49722, 49723 CLOUDFLARENETUS United States 18->104 110 3 other IPs or domains 18->110 80 C:\Users\user\AppData\...\vcruntime140_1.dll, PE32+ 18->80 dropped 82 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 18->82 dropped 84 C:\Users\user\AppData\Local\...\pythonw.exe, PE32+ 18->84 dropped 86 829 other files (none is malicious) 18->86 dropped 124 Attempt to bypass Chrome Application-Bound Encryption 18->124 126 Tries to harvest and steal browser information (history, passwords, etc) 18->126 128 Modifies Windows Defender protection settings 18->128 130 4 other signatures 18->130 29 cmd.exe 18->29         started        32 cmd.exe 18->32         started        34 cmd.exe 18->34         started        36 24 other processes 18->36 106 part-0013.t-0009.t-msedge.net 13.107.246.41, 443, 49730 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->106 108 ln-0007.ln-msedge.net 150.171.22.17, 443, 49726 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->108 112 2 other IPs or domains 23->112 file10 signatures11 process12 signatures13 142 Modifies Windows Defender protection settings 29->142 144 Adds a directory exclusion to Windows Defender 29->144 146 Disables Windows Defender (via service or powershell) 29->146 53 2 other processes 29->53 38 powershell.exe 32->38         started        41 conhost.exe 32->41         started        43 cscript.exe 34->43         started        45 conhost.exe 34->45         started        148 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->148 47 cscript.exe 36->47         started        49 powershell.exe 36->49         started        51 net.exe 36->51         started        55 42 other processes 36->55 process14 signatures15 132 Adds a directory exclusion to Windows Defender 43->132 57 powershell.exe 43->57         started        60 powershell.exe 47->60         started        134 Loading BitLocker PowerShell Module 49->134 62 net1.exe 51->62         started        64 Conhost.exe 53->64         started        66 Conhost.exe 53->66         started        68 Conhost.exe 55->68         started        70 Conhost.exe 55->70         started        72 Conhost.exe 55->72         started        process16 signatures17 136 Loading BitLocker PowerShell Module 57->136 74 conhost.exe 57->74         started        76 conhost.exe 60->76         started        78 Conhost.exe 62->78         started        process18
Score:
67%
Verdict:
Susipicious
File Type:
PE
Link:
https://malprob.io/report/7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85
Gathering data
Verdict:
Malicious
Threat:
Win32.Malware.Generic
Link:
https://tip.neiki.dev/file/7fed95cb683f4caa45c06b9fd9a0346278b2c34a2f410322798d6094f7288f85
Threat name:
Win32.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-10-02 07:14:59 UTC
File Type:
PE (Exe)
Extracted files:
3187
AV detection:
2 of 36 (5.56%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7wzls3ih5gkuroanop5tibumj4lfq2kf5aqgitzrvqjj5zir6cq._file
Result
Malware family:
n/a
Score:
  10/10
Tags:
credential_access defense_evasion discovery execution linux spyware stealer trojan
Link:
https://tria.ge/reports/251009-nwj89sxmz9/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Kills process with taskkill
Modifies data under HKEY_USERS
Modifies registry class
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Launches sc.exe
An obfuscated cmd.exe command-line is typically used to evade detection.
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Legitimate hosting services abused for malware hosting/C2
Checks computer location settings
Drops startup file
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Uses browser remote debugging
Windows security bypass
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/17fb7db8-17c1-4c36-b8ec-a44dbc4be11d
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Detect_NSIS_Nullsoft_Installer
Create hunting rule
Author:Obscurity Labs LLC
Description:Detects NSIS installers by .ndata section + NSIS header string

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments