MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b
SHA3-384 hash: 36e8f6544fb20dbd8381feb1df7bea9655e94dcff2a71050270d9a811139cd1806d1742b0d0b3dc406720a803e0c7055
SHA1 hash: 7304a5debb23822339c21d924206646732365867
MD5 hash: 108c2ced19e9c6c62a8728ad80413dfb
humanhash: grey-kilo-twenty-single
File name:payload.msi
Download: download sample
File size:335'872 bytes
First seen:2026-01-13 07:38:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:s1kK2TEpUrb1oF2yI4IhKc5VwSiXnQnOKkCOQKlLHsKn:cWTEerbZ/cJXojOxMQ
TLSH T12364126AF3016B31D453033AC02BA7729377BC449F56630A72A5FA8D2F365D50BB96E0
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
45
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/095926d6-38fb-4cfd-9505-5802c944dacd/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48703/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6965f676ef906a21abccdf67
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
installer installer
Link:
https://www.filescan.io/uploads/6965f67160d1ef876ded5773/reports/30b27f53-b86b-4ad0-a6f7-68f427280a91/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b
Verdict:
Malicious
File Type:
msi
First seen:
2026-01-13T14:30:00Z UTC
Last seen:
2026-01-13T15:21:00Z UTC
Hits:
~10
Detections:
HEUR:Trojan.OLE2.Agentb.gen
Link:
https://opentip.kaspersky.com/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
phis.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1849686
Signature
.NET source code references suspicious native API functions
Bypasses PowerShell execution policy
Disables the Smart Screen filter
Joe Sandbox ML detected suspicious sample
Loading BitLocker PowerShell Module
Malicious sample detected (through community Yara rule)
Sigma detected: Dot net compiler compiles file from suspicious location
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Download and Execution Cradles
Sigma detected: Schedule system process
Sigma detected: Shedule hidden powershell script
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Suspicious powershell command line found
Uses schtasks.exe or at.exe to add and modify task schedules
Windows shortcut file (LNK) contains suspicious command line arguments
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1849686 Sample: payload.msi Startdate: 13/01/2026 Architecture: WINDOWS Score: 100 36 b8217fef.thisisnotyourland.pages.dev 2->36 46 Malicious sample detected (through community Yara rule) 2->46 48 Sigma detected: Shedule hidden powershell script 2->48 50 Sigma detected: Schedule system process 2->50 52 8 other signatures 2->52 9 msiexec.exe 74 30 2->9         started        12 msiexec.exe 5 2->12         started        signatures3 process4 signatures5 54 Suspicious powershell command line found 9->54 14 powershell.exe 15 39 9->14         started        56 Bypasses PowerShell execution policy 12->56 process6 dnsIp7 38 b8217fef.thisisnotyourland.pages.dev 172.66.44.178, 443, 49687 CLOUDFLARENETUS United States 14->38 34 C:\Users\user\AppData\...\rpehsrju.cmdline, Unicode 14->34 dropped 40 Uses schtasks.exe or at.exe to add and modify task schedules 14->40 42 Disables the Smart Screen filter 14->42 44 Loading BitLocker PowerShell Module 14->44 19 csc.exe 3 14->19         started        22 powershell.exe 13 14->22         started        24 conhost.exe 14->24         started        26 3 other processes 14->26 file8 signatures9 process10 file11 32 C:\Users\user\AppData\Local\...\rpehsrju.dll, PE32 19->32 dropped 28 cvtres.exe 1 19->28         started        30 conhost.exe 22->30         started        process12
Score:
99%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b/
Verdict:
Malicious
Link:
https://tip.neiki.dev/file/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zah2h3be6mwcinmoii4vgcx3cpqewuayh557tpi2bx3lqo4tvsnq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260113-jgk5ssfy9a/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Badlisted process makes network request
Command and Scripting Interpreter: PowerShell
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5bf98287-066c-4097-8c33-6bbccc118bef
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Microsoft Software Installer (MSI) msi c80fa3ec24f32c24358e4239530afb13e04b50183f7bf9bd1a0df6b83b93ac9b

(this sample)

PowerShell (PS) ps1 c7238e9557509899c535f3baeaabcbbb11d94ebb76dc5e195cd42336e07be3e1

Cape
Cape
https://www.capesandbox.com/analysis/48703/
  
Dropping
SHA256 c7238e9557509899c535f3baeaabcbbb11d94ebb76dc5e195cd42336e07be3e1
  
Dropping
MD5 aa00c281207c4afb1bf463dcba6bff19

Comments