MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


PlugX


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
SHA3-384 hash: 9538ef6c42d616c210e1f230baea388d6d6ee55ca3ff33f79b7f5cda8301171714975e2550067e225bd5b37d684c7c1f
SHA1 hash: fa5651a4ffc8d8a59422e6b64629e1fc63195168
MD5 hash: 38d7c591e0ba0d5cf1bea54af64bf189
humanhash: table-twelve-east-eleven
File name:kqb.msi
Download: download sample
Signature PlugX
Create hunting rule
File size:1'126'400 bytes
First seen:2025-11-10 19:27:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:LBVjroYoBAXmFofOb/Q6oFx0J18Io9hDbUMp:NWAJfOsZFY8VUMp
TLSH T1F3353334E9680231C84660F95266D7D42BBCAC1986E545AD3B7930DE8FB360C73AFBD4
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/36729/
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69123c95ac1ae236e1792a12
Tags:
virus
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-debug evasive installer installer
Link:
https://www.filescan.io/uploads/69123c914ce0adbcc9842b94/reports/0ee6050c-1946-4b4f-8390-f7ec9f59aeb7/overview
Verdict:
Suspicious
Labled as:
Generik.MLRYBUX trojan
Link:
https://www.hybrid-analysis.com/sample/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
Verdict:
Malicious
File Type:
msi
First seen:
2025-11-10T16:50:00Z UTC
Last seen:
2025-11-11T17:59:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Alien.gen Trojan.Win32.Agentb.tmzv Trojan.Win32.Dedok.sb
Link:
https://opentip.kaspersky.com/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1811691
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Malicious sample detected (through community Yara rule)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Behaviour
Behavior Graph:
Download SVG
Score:
93%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
Verdict:
inconclusive
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/38d7c591e0ba0d5cf1bea54af64bf189
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f/
Verdict:
Clean
Link:
https://tip.neiki.dev/file/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-11-08 15:13:36 UTC
File Type:
Binary (Archive)
Extracted files:
23
AV detection:
6 of 24 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytr4fe3hijx6j3lrrk2er667ft4gsdeb5jjzqbkwttp7rayx3opq._file
Verdict:
malicious
Label(s):
doplugs
Create hunting rule
Similar samples:
error
PlugX
Result
Malware family:
n/a
Score:
  6/10
Tags:
adware discovery persistence privilege_escalation ransomware spyware
Link:
https://tria.ge/reports/251110-x57klatmer/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/3e3d5828-c8c5-49fb-a62c-56ec4ce7bc00
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/36729/

Comments