MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
SHA3-384 hash: a8a54ea0e7fde38ed7cbe8f0d25ddff01e70d4d9f3f5fe0080ef9802bc627b489e76dc7630aa0da809e3c1f0ce9d278a
SHA1 hash: e2766df672926c83751b14169729733f25dbd948
MD5 hash: a613cce7d94f32b45b9ccbdb805ac969
humanhash: skylark-oxygen-seventeen-pizza
File name:GYGVDIXT.msi
Download: download sample
File size:4'907'008 bytes
First seen:2025-04-22 16:00:56 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:MhQRE/PzTE3zg5OHTXp4d2C4AEjZ65e3EgWZ9WZHurYyWDhb3W3tw/:dRsnmg2ZTAU68lWWrlb3W3
Threatray 1 similar samples on MalwareBazaar
TLSH T1BF363379A2D01B82E97B1972B194CD1C03FC9E2BB600E20C261FFA6516F9A468DD751F
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/3471/
Detection(s):
SecuriteInfo.com.FileRepMalware.18245.20576.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
90.2%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6805896f280f5f89a0d28993
Tags:
shellcode spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expired-cert installer wix
Link:
https://www.filescan.io/uploads/6807bd5a89fec6b88ba0bda7/reports/b0bb321c-9ed2-4d9c-9bd7-fca2baac71a6/overview
Verdict:
Suspicious
Labled as:
Generik.ZXCIQT trojan
Link:
https://www.hybrid-analysis.com/sample/c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1671228
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
Creates a thread in another existing process (thread injection)
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Connection Initiated Via Certutil.EXE
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671228 Sample: GYGVDIXT.msi Startdate: 22/04/2025 Architecture: WINDOWS Score: 100 111 up1-c-dn.cfd 2->111 113 fastcdn-server.cfd 2->113 115 3 other IPs or domains 2->115 139 Suricata IDS alerts for network traffic 2->139 141 Malicious sample detected (through community Yara rule) 2->141 143 Antivirus detection for URL or domain 2->143 145 4 other signatures 2->145 11 msiexec.exe 160 72 2->11         started        14 Runner_Bina.exe 2->14         started        17 Deco_I.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 93 C:\Users\user\AppData\Local\...\StlpMt45.dll, PE32 11->93 dropped 95 C:\Users\user\AppData\Local\...\Rtl60.bpl, PE32 11->95 dropped 97 C:\Users\user\AppData\Local\...\Deco_I.exe, PE32 11->97 dropped 103 6 other malicious files 11->103 dropped 22 Runner_Bina.exe 7 11->22         started        26 Deco_I.exe 8 11->26         started        99 C:\Users\user\AppData\Local\...\FAF2C34.tmp, PE32+ 14->99 dropped 173 Modifies the context of a thread in another process (thread injection) 14->173 175 Maps a DLL or memory area into another process 14->175 28 cmd.exe 14->28         started        30 Png_Tool_alpha.exe 14->30         started        101 C:\Users\user\AppData\Local\Temp\rxg, PE32+ 17->101 dropped 32 cmd.exe 17->32         started        34 certutil.exe 17->34         started        117 239.255.255.250 unknown Reserved 19->117 36 msedge.exe 19->36         started        39 msedge.exe 19->39         started        41 2 other processes 19->41 file6 signatures7 process8 dnsIp9 77 C:\ProgramData\...\Runner_Bina.exe, PE32 22->77 dropped 79 C:\ProgramData\...\msvcr80.dll, PE32 22->79 dropped 81 C:\ProgramData\...\msvcp80.dll, PE32 22->81 dropped 83 C:\ProgramData\...\DivXDownloadManager.dll, PE32 22->83 dropped 159 Switches to a custom stack to bypass stack traces 22->159 161 Found direct / indirect Syscall (likely to bypass EDR) 22->161 43 Runner_Bina.exe 5 22->43         started        85 C:\ProgramData\...\StlpMt45.dll, PE32 26->85 dropped 87 C:\ProgramData\Controlplugin_v4\Rtl60.bpl, PE32 26->87 dropped 89 C:\ProgramData\Controlplugin_v4\Deco_I.exe, PE32 26->89 dropped 91 2 other files (1 malicious) 26->91 dropped 47 Deco_I.exe 26->47         started        49 conhost.exe 28->49         started        51 conhost.exe 32->51         started        119 20.125.62.241, 443, 49763, 49790 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->119 121 20.189.173.18, 443, 49782, 49800 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 36->121 123 22 other IPs or domains 36->123 file10 signatures11 process12 file13 105 C:\Users\user\AppData\...\Png_Tool_alpha.exe, PE32+ 43->105 dropped 107 C:\Users\user\AppData\Local\...\DAE59F0.tmp, PE32+ 43->107 dropped 163 Modifies the context of a thread in another process (thread injection) 43->163 165 Found hidden mapped module (file has been removed from disk) 43->165 167 Maps a DLL or memory area into another process 43->167 169 Found direct / indirect Syscall (likely to bypass EDR) 43->169 53 Png_Tool_alpha.exe 2 43->53         started        57 cmd.exe 3 43->57         started        109 C:\Users\user\AppData\...\srlnsbaxsfmalv, PE32+ 47->109 dropped 171 Switches to a custom stack to bypass stack traces 47->171 59 certutil.exe 47->59         started        61 cmd.exe 47->61         started        signatures14 process15 dnsIp16 125 up1-c-dn.cfd 104.21.70.69, 443, 49692, 49693 CLOUDFLARENETUS United States 53->125 127 gamefury.world 104.21.80.1, 443, 49695 CLOUDFLARENETUS United States 53->127 147 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 53->147 149 Found many strings related to Crypto-Wallets (likely being stolen) 53->149 151 Found strings related to Crypto-Mining 53->151 157 6 other signatures 53->157 63 chrome.exe 2 53->63         started        66 msiexec.exe 3 53->66         started        68 msedge.exe 53->68         started        153 Switches to a custom stack to bypass stack traces 57->153 70 conhost.exe 57->70         started        129 fastcdn-server.cfd 104.21.92.169, 49823, 80 CLOUDFLARENETUS United States 59->129 155 System process connects to network (likely due to code injection or exploit) 59->155 72 conhost.exe 61->72         started        signatures17 process18 dnsIp19 137 192.168.2.8, 138, 443, 49419 unknown unknown 63->137 74 chrome.exe 63->74         started        process20 dnsIp21 131 www.google.com 192.178.49.164, 443, 49698, 49703 GOOGLEUS United States 74->131 133 play.google.com 192.178.49.174, 443, 49719, 49723 GOOGLEUS United States 74->133 135 6 other IPs or domains 74->135
Score:
2%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591/
Threat name:
Binary.Trojan.Rugmi
Create hunting rule
Status:
Malicious
First seen:
2025-04-20 23:55:30 UTC
File Type:
Binary (Archive)
Extracted files:
8
AV detection:
11 of 38 (28.95%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yjrzlxj2ppfkr6y5oqp2lgmur4ldgtwjolxcrvo2flaiuz5ziwiq._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
19f6b0cbf4d58ca4c4dda40eb41107ad5bdf05fb914dd3c5fdb101dbde4532e8
error
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/250422-tgg39azyaw/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/92305afc-b4e2-4f80-bddb-5d5b239b22b3
Malware family:
IDATLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/c26395dd3a7b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi c26395dd3a7bcaa8fb1d741fa599948f16334ec972ee28d5da2ac08a67b94591

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/3520515/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/3471/

Comments