MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1
SHA3-384 hash: 1f93de68ebb42fc3d5ec04b89dab371d9629706ebe63b44c406913a9a36bb0895f65bc48d64d19ca9b596315f544f815
SHA1 hash: 25e6f75bf8aa8ef1bb084164d0a45058c6f8ad16
MD5 hash: fed4d89f04744fd10c65069fd754adcb
humanhash: music-burger-ink-snake
File name:82.msi
Download: download sample
File size:9'527'756 bytes
First seen:2025-01-30 16:40:53 UTC
Last seen:2025-04-09 13:13:47 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:zg5DWFUldb2TR4YzXqOcj2k08S6z4f2YiNroYCw:l2ldKTR3TqOcjt34YCw
TLSH T197A6F116B7988075E16F42318966A255D3BABC31473083CBB394770E3F736D1AB36B62
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
117
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=679bacec29ae628cf42bc6b3
Tags:
shellcode vmdetect dropper smtp
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context anti-vm crypto explorer fingerprint fingerprint keylogger lolbin remote wix
Link:
https://www.filescan.io/uploads/679baba34587880099ba3695/reports/003776f3-4752-4038-b241-ed30c4e4fa40/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.mine
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1603202
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Sigma detected: Suspicious GUP Usage
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603202 Sample: 82.msi Startdate: 30/01/2025 Architecture: WINDOWS Score: 88 94 fg.microsoft.map.fastly.net 2->94 96 bapakopla.live 2->96 112 PE file has a writeable .text section 2->112 114 Sigma detected: Suspicious GUP Usage 2->114 116 Joe Sandbox ML detected suspicious sample 2->116 13 msiexec.exe 2->13         started        15 GUP.exe 1 2->15         started        18 msedge.exe 2->18         started        21 msiexec.exe 7 2->21         started        signatures3 process4 dnsIp5 24 msiexec.exe 54 13->24         started        140 Maps a DLL or memory area into another process 15->140 142 Found direct / indirect Syscall (likely to bypass EDR) 15->142 27 cmd.exe 2 15->27         started        98 192.168.2.6 unknown unknown 18->98 100 192.168.2.9, 138, 443, 49160 unknown unknown 18->100 102 239.255.255.250 unknown Reserved 18->102 30 msedge.exe 18->30         started        33 msedge.exe 18->33         started        35 msedge.exe 18->35         started        37 msedge.exe 18->37         started        72 C:\Users\user\AppData\Local\...\MSIBD70.tmp, PE32 21->72 dropped 74 C:\Users\user\AppData\Local\...\MSIBA81.tmp, PE32 21->74 dropped file6 signatures7 process8 dnsIp9 80 C:\Users\user\AppData\Local\Temp\...behaviorgraphUP.exe, PE32+ 24->80 dropped 82 C:\Users\user\AppData\Local\...\ISBEW64.exe, PE32+ 24->82 dropped 84 C:\Users\user\AppData\Local\...\libcurl.dll, PE32+ 24->84 dropped 88 2 other files (none is malicious) 24->88 dropped 39 GUP.exe 5 24->39         started        43 MpCmdRun.exe 24->43         started        45 ISBEW64.exe 24->45         started        51 9 other processes 24->51 86 C:\Users\user\AppData\Local\Temp\bfh, PE32+ 27->86 dropped 128 Writes to foreign memory regions 27->128 130 Maps a DLL or memory area into another process 27->130 47 javasign_test.exe 27->47         started        49 conhost.exe 27->49         started        104 c-msn-pme.trafficmanager.net 13.74.129.1, 443, 50002 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->104 106 ax-0001.ax-msedge.net 150.171.27.10, 443, 50007 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 30->106 108 27 other IPs or domains 30->108 file10 signatures11 process12 file13 76 C:\Users\user\AppData\Roaming\...behaviorgraphUP.exe, PE32+ 39->76 dropped 78 C:\Users\user\AppData\Roaming\...\libcurl.dll, PE32+ 39->78 dropped 122 Found direct / indirect Syscall (likely to bypass EDR) 39->122 53 GUP.exe 1 39->53         started        56 conhost.exe 43->56         started        124 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 47->124 126 Tries to harvest and steal browser information (history, passwords, etc) 47->126 signatures14 process15 signatures16 118 Maps a DLL or memory area into another process 53->118 120 Found direct / indirect Syscall (likely to bypass EDR) 53->120 58 cmd.exe 5 53->58         started        process17 file18 90 C:\Users\user\AppData\...\javasign_test.exe, PE32+ 58->90 dropped 92 C:\Users\user\AppData\Local\Temp\uikfehek, PE32+ 58->92 dropped 132 Writes to foreign memory regions 58->132 134 Found hidden mapped module (file has been removed from disk) 58->134 136 Maps a DLL or memory area into another process 58->136 138 Switches to a custom stack to bypass stack traces 58->138 62 javasign_test.exe 58->62         started        66 conhost.exe 58->66         started        signatures19 process20 dnsIp21 110 bapakopla.live 104.21.64.1, 443, 49978, 49980 CLOUDFLARENETUS United States 62->110 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 62->144 146 Found strings related to Crypto-Mining 62->146 148 Tries to harvest and steal Bitcoin Wallet information 62->148 150 Found direct / indirect Syscall (likely to bypass EDR) 62->150 68 msedge.exe 62->68         started        signatures22 process23 process24 70 msedge.exe 68->70         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tnhexdtcb5j3qainkmljix4tbxyte7hbce2wc7r7a5pmod75jhiq._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250130-t6321swqfx/
Behaviour
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Enumerates connected drives
Reads WinSCP keys stored on the system
Verdict:
Informative
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/02b36bd3-9b64-4d2b-8fff-379e0480e9c6
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9b4e4b8e620f53b8010d5316945f930df1327ce11135617e3f075ec70ffd49d1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:RANSOMWARE
Create hunting rule
Author:ToroGuitar
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Create hunting rule
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)
Rule name:vmdetect
Create hunting rule
Author:nex
Description:Possibly employs anti-virtualization techniques

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments