MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf
SHA3-384 hash: 4f2acf376544cdbe11d32d6f06e251c6b00442d5e9e10f4dfc137177a9d948a75289d1ae5a6dbaeb9440744ebea72a90
SHA1 hash: e6c3676db6f80f8499548ce5bf11f0282364a571
MD5 hash: 9ee2b08b8be67b5901555f188bc61c35
humanhash: charlie-washington-king-seven
File name:XQJFCIHF.msi
Download: download sample
File size:8'351'744 bytes
First seen:2025-04-09 12:37:48 UTC
Last seen:2025-04-09 14:30:30 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:zWDBa9r/e7RqhtqEeoFUOx0lRjfHlT02bJY74TpFcrjFuWceIuwo:zW9qq7g3XeCHcfHlJb27oUrjBcen
TLSH T154863332DA134F3BDD0F50BA4960B6481549CD58ABA2B76B5304B3AD8C764B4EC9E0FC
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:brokpolok-shop cdn-jsdelivr-net msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
72
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1332/
Verdict:
Malicious
Score:
81.4%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f66f7ff9ba909217cdd551
Tags:
shellcode spawn micro
Verdict:
Unknown
Threat level:
  2.5/10
Confidence:
100%
Tags:
expired-cert installer wix
Link:
https://www.filescan.io/uploads/67f66a31b070fb3f94612958/reports/dbea47c6-5598-4452-a31b-8a0a5ce847df/overview
Verdict:
Suspicious
Labled as:
Generik.JWKDWMW trojan
Link:
https://www.hybrid-analysis.com/sample/a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1660778
Signature
Antivirus detection for URL or domain
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Switches to a custom stack to bypass stack traces
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660778 Sample: XQJFCIHF.msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 84 61 tenacious-axiom-8.cfd 2->61 67 Antivirus detection for URL or domain 2->67 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Joe Sandbox ML detected suspicious sample 2->73 10 msiexec.exe 81 41 2->10         started        13 ABUsbTips.exe 3 2->13         started        16 msiexec.exe 3 2->16         started        signatures3 process4 file5 47 C:\Users\user\AppData\Local\...\msvcr80.dll, PE32 10->47 dropped 49 C:\Users\user\AppData\Local\...\msvcp80.dll, PE32 10->49 dropped 51 C:\Users\user\AppData\Local\...\QtGui4.dll, PE32 10->51 dropped 55 2 other files (none is malicious) 10->55 dropped 18 ABUsbTips.exe 8 10->18         started        53 C:\Users\user\AppData\Local\Temp\xjxl, PE32+ 13->53 dropped 87 Maps a DLL or memory area into another process 13->87 89 Found direct / indirect Syscall (likely to bypass EDR) 13->89 22 JavaOracle_test_v2.exe 13->22         started        24 cmd.exe 1 13->24         started        signatures6 process7 file8 39 C:\Users\user\AppData\Roaming\...\msvcr80.dll, PE32 18->39 dropped 41 C:\Users\user\AppData\Roaming\...\msvcp80.dll, PE32 18->41 dropped 43 C:\Users\user\AppData\Roaming\...\QtGui4.dll, PE32 18->43 dropped 45 2 other malicious files 18->45 dropped 75 Switches to a custom stack to bypass stack traces 18->75 26 ABUsbTips.exe 4 18->26         started        77 Found direct / indirect Syscall (likely to bypass EDR) 22->77 30 conhost.exe 24->30         started        signatures9 process10 file11 57 C:\Users\user\AppData\Local\Temp\xpjd, PE32+ 26->57 dropped 59 C:\Users\user\...\JavaOracle_test_v2.exe, PE32+ 26->59 dropped 79 Found hidden mapped module (file has been removed from disk) 26->79 81 Maps a DLL or memory area into another process 26->81 83 Switches to a custom stack to bypass stack traces 26->83 85 Found direct / indirect Syscall (likely to bypass EDR) 26->85 32 cmd.exe 3 26->32         started        35 JavaOracle_test_v2.exe 26->35         started        signatures12 process13 signatures14 63 Switches to a custom stack to bypass stack traces 32->63 37 conhost.exe 32->37         started        65 Found direct / indirect Syscall (likely to bypass EDR) 35->65 process15
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-03-28 12:15:17 UTC
File Type:
Binary (Archive)
Extracted files:
30
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uoptmhc2q4m7ocvhbdanqs57xdh534iogtod4sjd4wriywbqrxhq._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250409-pt3s9szqs4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/2c3f006d-6905-4d2d-b447-509389c785b2
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/a39f361c5a87/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi a39f361c5a8719f70aa708c0d84bbfb8cfddf10e34dc3e4923e5a28c58308dcf

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/1332/
  
URLhaus
https://urlhaus.abuse.ch/url/3505509/
  
Delivery method
Distributed via web download

Comments