MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77
SHA3-384 hash: e7793f362745f7dc279e466787f21446e4a9e1691470bfc8dc0b31520672614aa91f43ff64876f92d21fbd8bc0adcd76
SHA1 hash: 6dbbc73416d4e565c8fd7fe6a074333320b23d68
MD5 hash: 9b8bb8ba63d78ec4116bf0928a29107a
humanhash: grey-fanta-washington-harry
File name:Installer_version12.02.00.msi
Download: download sample
File size:10'047'488 bytes
First seen:2025-05-20 20:06:11 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:UlYLPy0zurrB6WbXDDeGFX8D4n+l/+/e21Z7eyMOuipsEFjcC3k1cp847Ru:taQQbT6GFX8DU+lAZJMxi2EFoCu+847I
TLSH T13FA63380BEC88772E6BE0577C46177D436FA8D522351D0CF6B8072689AB17E2B975323
TrID 94.2% (.MSI) Microsoft Windows Installer (454500/1/170)
4.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
1.6% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter skocherhan
Tags:legend1234561111 msi signed

Code Signing Certificate

Organisation:LLC Company Magnon
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2025-03-14T14:52:51Z
Valid to:2026-03-15T14:52:51Z
Serial number: 2c204f0654e5d1d07e9e09b7
Thumbprint Algorithm:SHA256
Thumbprint: e9c4c825db73ffbe9c5505330bd50ca01cc18cb0420c73d1d363c366cf46cdb9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
skocherhan
https://github.com/legend1234561111/Installerofficial/releases/download/Officialapp12/Installer_version12.02.00.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Clean
Score:
82.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682ce1342f280a98fb425709
Tags:
n/a
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
crypto expand fingerprint fingerprint installer invalid-signature keylogger lolbin packed signed wix
Link:
https://www.filescan.io/uploads/682ce0e5c609634bd7cc3dde/reports/5303e559-cc41-4c58-b82f-cb164516a886/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1695425
Signature
Found API chain indicative of debugger detection
Found Tor onion address
Performs DNS queries to domains with low reputation
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695425 Sample: Installer_version12.02.00.msi Startdate: 20/05/2025 Architecture: WINDOWS Score: 52 49 cisco-webexxapp.xyz 2->49 55 Found Tor onion address 2->55 9 msiexec.exe 3 12 2->9         started        12 msiexec.exe 3 2->12         started        signatures3 57 Performs DNS queries to domains with low reputation 49->57 process4 file5 47 C:\Windows\Installer\MSI3F4A.tmp, PE32 9->47 dropped 14 msiexec.exe 5 9->14         started        process6 process7 16 game_launcher.exe 14->16         started        18 expand.exe 12 14->18         started        21 cmd.exe 1 14->21         started        23 2 other processes 14->23 file8 25 curl.exe 16->25         started        29 curl.exe 16->29         started        39 C:\Users\user\AppData\...\curl.exe (copy), PE32 18->39 dropped 41 C:\Users\user\...\vcruntime140.dll (copy), PE32 18->41 dropped 43 C:\Users\user\AppData\...\sqlite3.dll (copy), PE32 18->43 dropped 45 15 other files (none is malicious) 18->45 dropped 31 conhost.exe 18->31         started        33 conhost.exe 21->33         started        35 conhost.exe 23->35         started        37 conhost.exe 23->37         started        process9 dnsIp10 51 cisco-webexxapp.xyz 94.159.113.123, 443, 49697, 49700 NETCOM-R-ASRU Russian Federation 25->51 53 127.0.0.1 unknown unknown 25->53 59 Found Tor onion address 25->59 61 Found API chain indicative of debugger detection 25->61 signatures11
Score:
49%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-20 20:06:27 UTC
File Type:
Binary (Archive)
Extracted files:
16
AV detection:
7 of 24 (29.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=r474qig6662jfb3lhdicdsievl6gbq3z5cwvrswid3xalp2b5z3q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250520-yvkthsbr2s/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Modifies file permissions
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 8f3fc820def7b492876b38d021c904aafc60c379e8ad58cac81eee05bf41ee77

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3548737/
  
Delivery method
Distributed via web download

Comments