MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 13


Intelligence 13 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08
SHA3-384 hash: c5b799436c4cfa4dadb44746442cf0a0c73c38d5855cac55c28b5192fbc0cdeb3528b8a8229cc08ea51d3bd2fa11e302
SHA1 hash: c05a34cba8134d8c4d0dcc7c58a7a4264cbf5023
MD5 hash: e0058681fabb8e49ec780fdd78ec01fd
humanhash: single-lion-network-kentucky
File name:evv.msi
Download: download sample
File size:1'081'344 bytes
First seen:2025-12-30 07:52:20 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:WFlRluKfICNEJfYheHfjNl09WiK2jf8XHqACwWN7YQOZ5WUC3:WFlHuKfFNEJuirb0H/rFACd7YQOZ5WL
Threatray 15 similar samples on MalwareBazaar
TLSH T12C35337A6CDE827AC82087B4D6D3BC098F327C09AD6F15BC70C4B37B1EB166495A5709
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/c1289cad-0556-440a-a5fe-3de095d470bd/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46525/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=695384ee7d915bf1778ee639
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug evasive installer installer korplug
Link:
https://www.filescan.io/uploads/695384eb127d6a14e0c7ea88/reports/bba63602-9836-4f08-b075-d75045a5c50b/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-30T05:14:00Z UTC
Last seen:
2025-12-30T10:58:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.Win32.Agentb.gen Trojan.Win32.Dedok.sb
Link:
https://opentip.kaspersky.com/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1841984
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1841984 Sample: evv.msi Startdate: 30/12/2025 Architecture: WINDOWS Score: 100 44 famisu.com 2->44 46 us1.roaming1.live.com.akadns.net 2->46 48 11 other IPs or domains 2->48 56 Suricata IDS alerts for network traffic 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 2 other signatures 2->62 9 msiexec.exe 83 37 2->9         started        12 steam_monitor.exe 2->12         started        15 steam_monitor.exe 2->15         started        17 msiexec.exe 3 2->17         started        signatures3 process4 file5 40 C:\Users\user\AppData\...\steam_monitor.exe, PE32 9->40 dropped 42 C:\Users\user\AppData\...\crashhandler.dll, PE32 9->42 dropped 19 steam_monitor.exe 9 8 9->19         started        76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 12->76 78 Found evasive API chain (may stop execution after checking mutex) 12->78 80 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 12->80 82 2 other signatures 12->82 signatures6 process7 dnsIp8 50 famisu.com 104.21.87.111, 443, 49714, 49748 CLOUDFLARENETUS United States 19->50 34 C:\ProgramData\...\steam_monitor.exe, PE32 19->34 dropped 36 C:\ProgramData\VirtualFile\crashhandler.dll, PE32 19->36 dropped 38 C:\Users\...\Ba o ca o ve^` ti`nh hi`nh.docx, Microsoft 19->38 dropped 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 19->64 66 Obfuscated command line found 19->66 68 Unusual module load detection (module proxying) 19->68 70 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 19->70 24 cmd.exe 1 19->24         started        27 WINWORD.EXE 121 97 19->27         started        file9 signatures10 process11 dnsIp12 72 Uses ping.exe to sleep 24->72 74 Uses ping.exe to check the status of other devices and networks 24->74 30 conhost.exe 24->30         started        32 PING.EXE 1 24->32         started        52 part-0029.t-0009.t-msedge.net 13.107.246.57, 443, 49722 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->52 54 mira-ofc.tm-4.office.com 52.110.1.55, 443, 49718 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 27->54 signatures13 process14
Score:
94%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08/
Verdict:
Malicious
Threat:
Trojan.Win32.Agentb
Link:
https://tip.neiki.dev/file/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-12-30 07:53:19 UTC
File Type:
Binary (Archive)
Extracted files:
35
AV detection:
7 of 36 (19.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4lbzgt4kssh2j2fszkxexjk3ysc2cjr2ytsy5ndn4d56rjcbmea._file
Verdict:
malicious
Label(s):
canonstager
Create hunting rule
doplugs
Create hunting rule
Similar samples:
8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234
c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
error
f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
+ 5 additional samples on MalwareBazaar
Gathering data
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f10f2438-a9d9-4df6-9a17-c23610cf5aef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a7161c9a7c54a47d27459655725d2ade242d0931d6272c75a36f07df45220b08

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/46525/

Comments