MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 11

Intelligence 11 IOCs YARA 1 File information Comments

SHA256 hash:	b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641
SHA3-384 hash:	9b6802eec93bcbba27231b3520af1b38d0238fa7438835b1a01b9d478feb3ec0d5180ee845c7aebdd6045fe5bb3ec9f0
SHA1 hash:	10bd1202dab5682ad0ab267e0a1f730e69b98a42
MD5 hash:	672ba272eb48555ca9a515f2ab90ea25
humanhash:	eleven-oranges-ohio-social
File name:	DOC-041079A6.msi
Download:	download sample
File size:	65'536 bytes
First seen:	2026-04-16 05:23:18 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	768:o9dnv6IQGxyHS8VllF0JyG65OpMqr83Q63cq/+4yv0XMD5k4V95Ndc:0s0yHS8wJy5GMqoQM+wMVNHdc
TLSH	T1CB53F1617B08C57AE5126AB10964C66C4F29DC9DED711A63BFBBB32C9C701C12B94392
Magika	msi
Reporter	KodaDr
Tags:	msi signed

Code Signing Certificate

Organisation:	Adobe Acrobat PDF
Issuer:	Adobe Acrobat PDF
Algorithm:	sha256WithRSAEncryption
Valid from:	2026-04-15T01:58:30Z
Valid to:	2027-04-15T02:08:30Z
Serial number:	318f553bf62a708541b50287301beb03
Thumbprint Algorithm:	SHA256
Thumbprint:	f188128583bb8e777e33e540e0a85c05c033b0e6bbf48b1670df5d9182ce4971
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Malware configuration found for:

MSI

Details

MSI

an embedded setup program or component

Link:

https://research.acce.ciphertechsolutions.com/results/b9a5e75f-3393-4bef-a988-39402bba2d0e/

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61818/

Detection(s):

Sanesecurity.Foxhole.Cab_ext_Pdfexe2.UNOFFICIAL

Verdict:

Clean

Score:

89.3%

Link:

https://cyber-fortress.com/docs/result/index.php?id=69e0726245787c53e53a2cff

Tags:

n/a

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

installer overlay packed packed signed virus wix

Link:

https://www.filescan.io/uploads/69e0725b5ea31bc68a2fca20/reports/4636775a-3ba0-4432-ac3d-5cead98e4be0/overview

Verdict:

Suspicious

Labled as:

Suspicious

Link:

https://www.hybrid-analysis.com/sample/b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

File Type:

msi

First seen:

2026-04-16T02:29:00Z UTC

Last seen:

2026-04-16T11:11:00Z UTC

Hits:

~10

Detections:

Trojan.Win64.Agent.sb Trojan.Win32.Pakes.Krap.c Packed.Win32.Krap.c

Link:

https://opentip.kaspersky.com/b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641/results?tab=lookup

Score:

99%

Verdict:

Malware

File Type:

Result

Malware family:

n/a

Score:

9/10

Tags:

defense_evasion discovery execution persistence privilege_escalation ransomware spyware stealer trojan

Link:

https://tria.ge/reports/260416-f3fknaay8y/

Behaviour

Checks SCSI registry key(s)

Checks processor information in registry

Enumerates system info in registry

Modifies data under HKEY_USERS

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Badlisted process makes network request

Checks whether UAC is enabled

Enumerates connected drives

Looks up external IP address via web service

Network Share Discovery

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Downloads MZ/PE file

Looks for VMWare Tools registry key

Enumerates VirtualBox registry keys

Looks for VirtualBox Guest Additions in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b16987f993d709d64113a32ed76c3efce5e146dbf1b5abd4e9151d03d4ed5641

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	FreddyBearDropper Create hunting rule
Author:	Dwarozh Hoshiar
Description:	Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/61818/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample