MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d
SHA3-384 hash: a31c64fc25b5f48d137fec7ed9b33f7ef4cb530fd056e6fd1a58f514f4ee3e0eb1e388b75cb014fd455098c7e3e84ded
SHA1 hash: c84b96f954fae992ea16c14945e2a9d5e622040a
MD5 hash: 0d08257a76aa4f14a0425ca210413775
humanhash: north-equal-saturn-ceiling
File name:Dwglq.msi
Download: download sample
File size:48'435'200 bytes
First seen:2026-02-09 13:07:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:lG1xYlnXB/BZKOBouTXUPtRBF5ZyrUegbB21b4N4E1NfwSJmYS0yOTPapnFenqO8:lG1UXDMl37NIrww1bbE1NJDtyOTPQnq+
TLSH T165B733217A8EC636E25D4073997EEE0E81757C67033041C7A3F4B95EAE319C06A7DB92
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
41
Origin country :
HU HU
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6989dc4c42fd65534ccddae4
Tags:
dridex virus spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug base64 cmd crypto expired-cert fingerprint installer keylogger lolbin msiexec packed short-lived-cert wix
Link:
https://www.filescan.io/uploads/6989dc44981ff1d38a4e3882/reports/6953d081-401b-4cb3-a735-ac5162356fb1/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2026-02-09T10:16:00Z UTC
Last seen:
2026-02-10T21:08:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Shellcode.mjr Trojan.Win64.Agentb.sb Trojan.Win32.Shellcode.sb Trojan.Win32.Agent.sb Backdoor.Agent.TCP.C&C
Link:
https://opentip.kaspersky.com/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1866069
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Drops executables to the windows directory (C:\Windows) and starts them
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Multi AV Scanner detection for dropped file
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1866069 Sample: Dwglq.msi Startdate: 09/02/2026 Architecture: WINDOWS Score: 100 98 gce-beacons.gcp.gvt2.com 2->98 100 beacons2.gvt2.com 2->100 102 3 other IPs or domains 2->102 120 Suricata IDS alerts for network traffic 2->120 122 Antivirus detection for dropped file 2->122 124 Multi AV Scanner detection for dropped file 2->124 126 2 other signatures 2->126 12 msiexec.exe 81 35 2->12         started        16 msiexec.exe 15 2->16         started        18 wefault.exe 2->18         started        20 19 other processes 2->20 signatures3 process4 dnsIp5 82 C:\Windows\Installer\MSIBC83.tmp, PE32+ 12->82 dropped 84 C:\Windows\Installer\MSIA4C3.tmp, PE32 12->84 dropped 86 C:\Windows\Installer\MSIA473.tmp, PE32 12->86 dropped 94 3 other malicious files 12->94 dropped 140 Drops executables to the windows directory (C:\Windows) and starts them 12->140 23 MSIBC83.tmp 1 12->23         started        25 msiexec.exe 1 12->25         started        27 msiexec.exe 12->27         started        88 C:\Users\user\AppData\Local\...\MSIBD91.tmp, PE32 16->88 dropped 90 C:\Users\user\AppData\Local\...\MSIBD52.tmp, PE32 16->90 dropped 92 C:\Users\user\AppData\Local\...\MSI8866.tmp, PE32 16->92 dropped 96 7 other malicious files 16->96 dropped 29 wefault.exe 18->29         started        104 192.168.2.4, 138, 443, 49236 unknown unknown 20->104 31 chrome.exe 20->31         started        34 WerFault.exe 20->34         started        file6 signatures7 process8 dnsIp9 36 cili.exe 12 23->36         started        39 DWg.exe 7 25->39         started        41 wefault.exe 29->41         started        45 WerFault.exe 29->45         started        112 googlehosted.l.googleusercontent.com 142.250.73.129, 443, 49751, 49773 GOOGLEUS United States 31->112 114 play.google.com 142.251.45.142, 443, 49756, 49757 GOOGLEUS United States 31->114 116 13 other IPs or domains 31->116 process10 dnsIp11 72 C:\ProgramData\Python\wefault.exe, PE32 36->72 dropped 74 C:\ProgramData\Python\...\wefault.exe, PE32+ 36->74 dropped 76 C:\ProgramData\Python\...\vcruntime140.dll, PE32+ 36->76 dropped 80 4 other malicious files 36->80 dropped 47 cmd.exe 1 36->47         started        49 conhost.exe 36->49         started        78 C:\Users\user\AppData\Local\...\updater.exe, PE32 39->78 dropped 51 updater.exe 25 13 39->51         started        106 43.128.42.125, 49804, 6666 LILLY-ASUS Japan 41->106 130 Adds a directory exclusion to Windows Defender 41->130 54 powershell.exe 41->54         started        file12 signatures13 process14 file15 57 wefault.exe 18 47->57         started        70 C:\Program Files (x86)behaviorgraphoogle\...\updater.exe, PE32 51->70 dropped 61 updater.exe 3 51->61         started        128 Loading BitLocker PowerShell Module 54->128 63 conhost.exe 54->63         started        signatures16 process17 dnsIp18 108 119.28.195.39, 49784, 49792, 49798 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 57->108 110 223.5.5.5, 443, 49781, 49796 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC China 57->110 132 Bypasses PowerShell execution policy 57->132 134 Adds a directory exclusion to Windows Defender 57->134 136 Disables UAC (registry) 57->136 138 2 other signatures 57->138 65 powershell.exe 57->65         started        signatures19 process20 signatures21 118 Loading BitLocker PowerShell Module 65->118 68 conhost.exe 65->68         started        process22
Score:
13%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d
Gathering data
Verdict:
Malicious
Threat:
Trojan.Win32.Shellcode
Link:
https://tip.neiki.dev/file/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2026-02-09 10:05:50 UTC
File Type:
Binary (Archive)
Extracted files:
298
AV detection:
9 of 24 (37.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=utiyitakjexu6aev5dznbscotgtmwietzzl5ouhhn6ft2nc5bz6q._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/260209-qddd4ses3c/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4d1844c0a492f4f0095e8f2d0c84e99a6cb2093ce57d750e76f8b3d345d0e7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CP_Script_Inject_Detector
Create hunting rule
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_MSI_LATAM_Banker_From_LatAm
Create hunting rule
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:upxHook
Create hunting rule
Author:@r3dbU7z
Description:Detect artifacts from 'upxHook' - modification of UPX packer
Reference:https://bazaar.abuse.ch/sample/6352be8aa5d8063673aa428c3807228c40505004320232a23d99ebd9ef48478a/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments