MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf
SHA3-384 hash: 817d9e2bd9a669c1aa9714f14785208884cff9cfeb4fb6af07ed7ee7a7b5bff6015b82ef0debdbf6f85d16aa82966374
SHA1 hash: 7c63ff20b33443c5cf83f4c98ef0c923a2fad838
MD5 hash: cd686324a88015c338cbf56150223f4f
humanhash: robin-music-whiskey-stream
File name:setup.msi
Download: download sample
File size:29'888'512 bytes
First seen:2026-03-18 08:14:48 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:53vPQ8mJM/paWkD5yljUIYaOJBR+y6ytsr5Y9X+5rU:53vpmJM/paWo0FUhBROJrM2o
TLSH T12B6733E3D8D30676E52FA63F4BA4A4045D82FC618B430E2AAD3D376258F36D235F6149
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter tcains1
Tags:msi signed

Code Signing Certificate

Organisation:CrystalDewWorld
Issuer:CrystalDewWorld
Algorithm:sha256WithRSAEncryption
Valid from:2026-03-18T03:34:29Z
Valid to:2029-03-18T03:44:30Z
Serial number: 12e110eedbf087924b75a329b816c2df
Thumbprint Algorithm:SHA256
Thumbprint: c39935090ca2b8813d9d119f00c805b78c63be587a896037bcba116ead17546b
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
54
Origin country :
US US
Vendor Threat Intelligence
Gathering data
Detection:
WinosStager
Create hunting rule
Link:
https://www.capesandbox.com/analysis/57885/
Verdict:
Clean
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69ba5f2893b644ca466b3834
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug base64 CAB crypto expand fingerprint installer installer lolbin signed
Link:
https://www.filescan.io/uploads/69ba5f224ec2f522cc4d8ebe/reports/278041fd-bf52-4d63-aeb8-7cdcaca4cde6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf
Verdict:
Malware
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:MSZIP DeObfuscated Executable Obfuscated Office Document PDB Path PE (Portable Executable) PE File Layout T1059.005 VBScript Wscript.Shell
Link:
https://app.malva.re/file/cd686324a88015c338cbf56150223f4f
Gathering data
Verdict:
Malicious
Threat:
Trojan-Dropper.OLE2.Agent
Link:
https://tip.neiki.dev/file/9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=szc7x5yctir575bcqojezm6nmotvbo3tjyvlggyt2g2ftqau4hhq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260318-j5tf3sdz9z/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Badlisted process makes network request
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 9645fbf7029a23dff42283924cb3cd63a750bb734e2ab31b13d1b459c014e1cf

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/57885/

Comments