MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


SparkRAT


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
SHA3-384 hash: c029dacaaf1810ca9443fc405d3b423f86d2e07f8961793f026d48febcf0d4abd6fc103498329aedc8429d3227b1f91d
SHA1 hash: e9b2ce64e7bd7a4acc5c98743d84dae73778743f
MD5 hash: 01883bd83a757a7ef01b74f82eb3de5c
humanhash: sad-triple-whiskey-edward
File name:ChromeSetup.msi
Download: download sample
Signature SparkRAT
Create hunting rule
File size:1'576'960 bytes
First seen:2026-02-26 18:30:55 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:JJvKAN7MDBVaEJT84t6ve/K03KzStZdnQYwHFeP8x7PQhdrQdE2ttB4k0:7Ke7OVje7ve/HxQYwlWa7S4tBG
TLSH T1A9752302B6D05071E1B75E3059B59A909FBDFC204E32895B23D4BF1D2F30A51EA36BA7
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi SparkRAT www-msftconnecttest-xyz

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/9eec122d-3a8d-4384-97c1-c024626017cf/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/54736/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a091748fffa866e3b27bb9
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug expired-cert installer installer packed wix
Link:
https://www.filescan.io/uploads/69a091739eaae846593fcec4/reports/beffb571-4e17-44ab-8f51-ef739395ef34/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Clean
File Type:
msi
Link:
https://opentip.kaspersky.com/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/results?tab=lookup
Result
Threat name:
Spark RAT
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1875516
Signature
Changes security center settings (notifications, updates, antivirus, firewall)
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain checking for user administrative privileges
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Yara detected Spark RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1875516 Sample: ChromeSetup.msi Startdate: 26/02/2026 Architecture: WINDOWS Score: 100 70 www.msftconnecttest.xyz 2->70 74 Suricata IDS alerts for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Yara detected Spark RAT 2->78 80 Joe Sandbox ML detected suspicious sample 2->80 10 msiexec.exe 77 32 2->10         started        14 svchost.exe 2->14         started        16 svchost.exe 1 1 2->16         started        19 6 other processes 2->19 signatures3 82 Performs DNS queries to domains with low reputation 70->82 process4 dnsIp5 54 C:\Windows\Installer\MSI2F48.tmp, PE32 10->54 dropped 56 C:\Program Files (x86)\...\Appverif.exe, PE32+ 10->56 dropped 58 C:\Program Files (x86)\...\DesDtCore64.dll, PE32+ 10->58 dropped 94 Drops executables to the windows directory (C:\Windows) and starts them 10->94 21 MSI2F48.tmp 73 10->21         started        25 Appverif.exe 8 8 10->25         started        96 Changes security center settings (notifications, updates, antivirus, firewall) 14->96 28 MpCmdRun.exe 14->28         started        68 127.0.0.1 unknown unknown 16->68 file6 signatures7 process8 dnsIp9 42 C:\Windows\SystemTemp\...behaviorgraphoogleUpdate.exe, PE32 21->42 dropped 44 C:\Windows\SystemTemp\...\psuser_64.dll, PE32+ 21->44 dropped 46 C:\Windows\SystemTemp\...\psuser.dll, PE32 21->46 dropped 52 65 other files (none is malicious) 21->52 dropped 84 Drops executables to the windows directory (C:\Windows) and starts them 21->84 86 Found evasive API chain checking for user administrative privileges 21->86 30 GoogleUpdate.exe 9 74 21->30         started        72 www.msftconnecttest.xyz 154.31.222.217, 443, 49712, 49722 COGENT-174US United States 25->72 48 C:\ProgramData\...\DesDtCore64.dll, PE32+ 25->48 dropped 50 C:\ProgramData\...\Appverif.exe, PE32+ 25->50 dropped 88 Maps a DLL or memory area into another process 25->88 90 Creates a thread in another existing process (thread injection) 25->90 92 Found direct / indirect Syscall (likely to bypass EDR) 25->92 34 sihost.exe 25->34 injected 36 conhost.exe 28->36         started        file10 signatures11 process12 file13 60 C:\Program Files (x86)\...behaviorgraphoogleUpdate.exe, PE32 30->60 dropped 62 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 30->62 dropped 64 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 30->64 dropped 66 65 other files (none is malicious) 30->66 dropped 98 Found evasive API chain checking for user administrative privileges 30->98 100 Unusual module load detection (module proxying) 34->100 38 cmd.exe 34->38         started        signatures14 process15 process16 40 conhost.exe 38->40         started       
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sgrjixmz5z4uubdbij5bjsttcgd3qfb3qr5ylgj6u7ktm7bmdqga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
defense_evasion discovery persistence privilege_escalation ransomware spyware stealer trojan
Link:
https://tria.ge/reports/260226-w56gvscv3d/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
System Time Discovery
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtCreateThreadExHideFromDebugger
Checks installed software on the system
Checks whether UAC is enabled
Enumerates connected drives
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Boot or Logon Autostart Execution: Active Setup
Event Triggered Execution: Image File Execution Options Injection
Malware family:
SparkRAT
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/91a2945d99ee/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/91a2945d99ee794a0461427a14ca731187b8143b847b85993ea7d5367c2c1c0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/54736/

Comments