MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96ad97bd3816ebd44d00a42a667b31dec54fce719d07c6bcad5625d1791f887c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments

SHA256 hash: 96ad97bd3816ebd44d00a42a667b31dec54fce719d07c6bcad5625d1791f887c
SHA3-384 hash: 1da5dae4cbd5acd01efe0480af2e93e1ddfed27617b5af9546ba1e0586c1de46758df17d6eafa0e6ccceb6fa7d6f3724
SHA1 hash: 063f6d7b87c498654100184c820b44d56240c837
MD5 hash: 17212f4e2e3ce6d283bacaf2d0ea2524
humanhash: ack-delaware-stream-nitrogen
File name:mugiwara_installer.exe
Download: download sample
File size:30'116'818 bytes
First seen:2026-04-14 13:59:27 UTC
Last seen:2026-04-15 23:53:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 88016fcdef7f227c62171d0afad9aae4 (12 x OffLoader, 10 x ValleyRAT, 4 x Gh0stRAT)
ssdeep 786432:mESklQIak/B9RsfP06l6oFc33kMTTKP0qkd:7zakOFcbTTKP0Ld
Threatray 167 similar samples on MalwareBazaar
TLSH T1BE67337FE29BB43EE069193939B29110453B7A60A0564C56A7ECF8CCCF641B10E3E797
TrID 50.8% (.EXE) Inno Setup installer (107240/4/30)
20.4% (.EXE) InstallShield setup (43053/19/16)
19.7% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
3.0% (.EXE) Win64 Executable (generic) (6522/11/2)
2.1% (.EXE) Win32 Executable (generic) (4504/4/1)
Magika pebin
dhash icon 5050d270cccc82ae (112 x Adware.Generic, 77 x OffLoader, 43 x LummaStealer)
Reporter johnk3r
Tags:187-77-255-35 consorciochevolet-shop exe pay-hostingshared99-com paymentsv2-mysynology-net

Intelligence


File Origin
# of uploads :
3
# of downloads :
131
Origin country :
CH CH
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
mugiwara_installer.exe
Verdict:
Malicious activity
Analysis date:
2026-04-14 14:02:08 UTC
Tags:
inno installer delphi auto-reg themida

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
93.3%
Tags:
ransomware dropper delphi hype
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Gathering data
Verdict:
Clean
File Type:
exe x32
First seen:
2026-04-14T09:55:00Z UTC
Last seen:
2026-04-14T10:07:00Z UTC
Hits:
~10
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
34 / 100
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Hides threads from debuggers
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1898124 Sample: mugiwara_installer.exe Startdate: 14/04/2026 Architecture: WINDOWS Score: 34 33 paymentsv2.mysynology.net 2->33 35 pay.hostingshared99.com 2->35 41 PE file contains section with special chars 2->41 8 mugiwara_installer.exe 2 2->8         started        11 TortoiseBlame.exe 2->11         started        14 TortoiseBlame.exe 2->14         started        signatures3 process4 file5 31 C:\Users\user\...\mugiwara_installer.tmp, PE32 8->31 dropped 16 mugiwara_installer.tmp 6 50 8->16         started        51 Query firmware table information (likely to detect VMs) 11->51 53 Hides threads from debuggers 11->53 55 Found direct / indirect Syscall (likely to bypass EDR) 11->55 57 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->57 59 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 14->59 signatures6 process7 file8 23 C:\Users\user\...\TortoiseBlame.exe (copy), PE32+ 16->23 dropped 25 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 16->25 dropped 27 C:\Users\user\...\vcruntime140_1.dll (copy), PE32+ 16->27 dropped 29 64 other files (none is malicious) 16->29 dropped 19 TortoiseBlame.exe 16->19         started        process9 dnsIp10 37 pay.hostingshared99.com 104.21.7.222, 443, 49692, 49693 CLOUDFLARENETUS United States 19->37 39 paymentsv2.mysynology.net 199.91.220.22, 49691, 80 AMCUS United States 19->39 43 Query firmware table information (likely to detect VMs) 19->43 45 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->45 47 Hides threads from debuggers 19->47 49 2 other signatures 19->49 signatures11
Gathering data
Threat name:
Win32.Trojan.Generic
Status:
Suspicious
First seen:
2026-04-14 14:01:21 UTC
File Type:
PE (Exe)
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  9/10
Tags:
defense_evasion discovery installer persistence trojan
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Inno Setup is an open-source installation builder for Windows applications.
System Location Discovery: System Language Discovery
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Checks BIOS information in registry
Executes dropped EXE
Loads dropped DLL
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Borland
Author:malware-lu
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:pe_detect_tls_callbacks
Rule name:SHA512_Constants
Author:phoul (@phoul)
Description:Look for SHA384/SHA512 constants
Rule name:TH_AntiVM_MassHunt_Win_Malware_2026_CYFARE
Author:CYFARE
Description:Detects Windows malware employing anti-VM / anti-sandbox evasion techniques across VMware, VirtualBox, Hyper-V, QEMU, Xen, and generic sandbox environments
Reference:https://cyfare.net/

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Executable exe 96ad97bd3816ebd44d00a42a667b31dec54fce719d07c6bcad5625d1791f887c

(this sample)

Comments