MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec
SHA3-384 hash: 9c546280375dde241c8323246746b98c446e41e2695639a21377fd4011dda3ac8f67a2cb8788364e75f7b563d8a81b93
SHA1 hash: 0ab457ba682c3e30a2768bbeb8603771dbd0556a
MD5 hash: 15028b35d18c37170d7dc13c99ad8023
humanhash: comet-foxtrot-bravo-kansas
File name:msi (10).msi
Download: download sample
File size:6'967'296 bytes
First seen:2025-04-09 13:15:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:SYOfzG0JRBw4MANjxIfI3nxU9iX8pBXt/IDCz:SYuDJbwyNjxdnxU9iX8pBXt/IDC
TLSH T1C36633D979223533CACE613A468EEBF572992D311F62E226D33337901932E7663560C7
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:bestieslos-com cdn-jsdelivr-net msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1365/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f67606f9ba909217cddba5
Tags:
virus
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto expired-cert installer keylogger wix
Link:
https://www.filescan.io/uploads/67f672f0eb7eb0aee042de5e/reports/65d3452c-0b61-40c4-b517-632c8d50c322/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1660843
Signature
Antivirus detection for URL or domain
Contains functionality to detect sleep reduction / modifications
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660843 Sample: msi (10).msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 92 68 ingovate-now.site 2->68 80 Antivirus detection for URL or domain 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 Joe Sandbox ML detected suspicious sample 2->86 11 msiexec.exe 86 46 2->11         started        14 TiVoDesktop.exe 1 2->14         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 60 C:\Users\user\AppData\...\wspconfig.dll, PE32 11->60 dropped 62 C:\Users\user\AppData\Roaming\...\Vclx60.bpl, PE32 11->62 dropped 64 C:\Users\user\AppData\Roaming\...\Vcl60.bpl, PE32 11->64 dropped 66 7 other malicious files 11->66 dropped 19 TiVoDesktop.exe 13 11->19         started        106 Maps a DLL or memory area into another process 14->106 108 Found direct / indirect Syscall (likely to bypass EDR) 14->108 23 cmd.exe 2 14->23         started        signatures6 process7 file8 50 C:\Users\user\AppData\...\wspconfig.dll, PE32 19->50 dropped 52 C:\Users\user\AppData\Roaming\...\Vclx60.bpl, PE32 19->52 dropped 54 C:\Users\user\AppData\Roaming\...\Vcl60.bpl, PE32 19->54 dropped 58 7 other malicious files 19->58 dropped 88 Switches to a custom stack to bypass stack traces 19->88 90 Found direct / indirect Syscall (likely to bypass EDR) 19->90 92 Contains functionality to detect sleep reduction / modifications 19->92 25 TiVoDesktop.exe 1 19->25         started        56 C:\Users\user\AppData\Local\Temp\ibhroaaii, PE32+ 23->56 dropped 94 Writes to foreign memory regions 23->94 96 Maps a DLL or memory area into another process 23->96 28 ToolSecurityBvg.exe 23->28         started        30 conhost.exe 23->30         started        signatures9 process10 signatures11 100 Maps a DLL or memory area into another process 25->100 102 Switches to a custom stack to bypass stack traces 25->102 104 Found direct / indirect Syscall (likely to bypass EDR) 25->104 32 cmd.exe 5 25->32         started        36 WerFault.exe 21 28->36         started        process12 file13 46 C:\Users\user\AppData\Local\Temp\nwbyfk, PE32+ 32->46 dropped 48 C:\Users\user\AppData\...\ToolSecurityBvg.exe, PE32+ 32->48 dropped 72 Writes to foreign memory regions 32->72 74 Found hidden mapped module (file has been removed from disk) 32->74 76 Maps a DLL or memory area into another process 32->76 78 Switches to a custom stack to bypass stack traces 32->78 38 ToolSecurityBvg.exe 32->38         started        42 conhost.exe 32->42         started        signatures14 process15 dnsIp16 70 ingovate-now.site 172.67.146.5, 443, 49769, 49955 CLOUDFLARENETUS United States 38->70 98 Found direct / indirect Syscall (likely to bypass EDR) 38->98 44 WerFault.exe 22 16 38->44         started        signatures17 process18
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qyihldx6byzylvd7kyegfn7erkyecrvodtksl33y53bca3vkgpwa._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery
Link:
https://tria.ge/reports/250409-qhfd9s1mz5/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/1a90864e-8c13-4725-95f5-cec54ae36412
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8610758efe0e3385d47f560862b7e48ab04146ae1cd525ef78eec2206eaa33ec

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/1365/

Comments