MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
SHA3-384 hash: e7297d7062c0051e369f1938c36a27d96c67e8ed55f186fdc190d5b9c22893cdb72214d63b9d1747e5d1d827d93b949e
SHA1 hash: 0ca3a60d8c9e5fcc4cab10d113847fb49b01c6fa
MD5 hash: a281700f6f0e1fadbed3ba2aca2dbe61
humanhash: nebraska-undress-nevada-chicken
File name:RKIUTSXW.msi
Download: download sample
File size:8'171'520 bytes
First seen:2025-05-21 11:24:44 UTC
Last seen:2025-05-22 18:47:41 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:RydDwbe2ose1rsw0r398P5+zvNsnt157:RyNwbeQe1Yv98RWOHB
Threatray 24 similar samples on MalwareBazaar
TLSH T1B48633413C424973EDBA9F3C4BF2A055F551EE089D32AC866901F96D2CB09B34E973E6
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter skocherhan
Tags:msi


Avatar
skocherhan
https://cdnjet.sbs/RKIUTSXW.msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=682db88ac28c67d6664381f3
Tags:
shellcode spawn hype
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer wix
Link:
https://www.filescan.io/uploads/682db83f1de1514c6874d6c5/reports/1034b336-ad2d-44ff-9058-8b8cd220ded2/overview
Verdict:
Suspicious
Labled as:
Generik.KNGZOKI trojan
Link:
https://www.hybrid-analysis.com/sample/deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1695808
Signature
Contains functionality to infect the boot sector
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1695808 Sample: RKIUTSXW.msi Startdate: 21/05/2025 Architecture: WINDOWS Score: 80 66 unositescdn.buzz 2->66 72 Suricata IDS alerts for network traffic 2->72 74 Multi AV Scanner detection for dropped file 2->74 10 msiexec.exe 80 40 2->10         started        13 BinarySynchronize32.exe 5 2->13         started        16 msiexec.exe 3 2->16         started        signatures3 process4 file5 48 C:\Users\user\...\BinarySynchronize32.exe, PE32+ 10->48 dropped 50 C:\Users\user\AppData\...\vcruntime140.dll, PE32+ 10->50 dropped 52 C:\Users\user\AppData\Local\...\msvcp140.dll, PE32+ 10->52 dropped 54 C:\Users\user\AppData\Local\...\mfc140u.dll, PE32+ 10->54 dropped 18 BinarySynchronize32.exe 7 10->18         started        56 C:\Users\user\AppData\Local\...\A9F1923.tmp, PE32+ 13->56 dropped 88 Modifies the context of a thread in another process (thread injection) 13->88 90 Maps a DLL or memory area into another process 13->90 22 tcpvcon.exe 1 13->22         started        24 Lmcheck.exe 13->24         started        signatures6 process7 file8 40 C:\ProgramData\...\BinarySynchronize32.exe, PE32+ 18->40 dropped 42 C:\ProgramData\...\vcruntime140.dll, PE32+ 18->42 dropped 44 C:\ProgramData\protectdriver\msvcp140.dll, PE32+ 18->44 dropped 46 C:\ProgramData\protectdriver\mfc140u.dll, PE32+ 18->46 dropped 76 Contains functionality to infect the boot sector 18->76 78 Found direct / indirect Syscall (likely to bypass EDR) 18->78 26 BinarySynchronize32.exe 7 18->26         started        30 conhost.exe 22->30         started        signatures9 process10 file11 58 C:\Users\user\AppData\Roaming\...\tcpvcon.exe, PE32 26->58 dropped 60 C:\Users\user\AppData\Local\...\Lmcheck.exe, PE32+ 26->60 dropped 62 C:\Users\user\AppData\Local\...\8C456EC.tmp, PE32+ 26->62 dropped 80 Contains functionality to infect the boot sector 26->80 82 Modifies the context of a thread in another process (thread injection) 26->82 84 Found hidden mapped module (file has been removed from disk) 26->84 86 2 other signatures 26->86 32 Lmcheck.exe 2 26->32         started        36 tcpvcon.exe 3 26->36         started        signatures12 process13 dnsIp14 64 unositescdn.buzz 172.67.206.69, 49721, 80 CLOUDFLARENETUS United States 32->64 68 Found direct / indirect Syscall (likely to bypass EDR) 32->68 70 Switches to a custom stack to bypass stack traces 36->70 38 conhost.exe 36->38         started        signatures15 process16
Score:
81%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-05-18 18:22:22 UTC
File Type:
Binary (Archive)
Extracted files:
850
AV detection:
12 of 24 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=33xn7qbljole4lnna3ewhtgozbrtybrlydvy4tnkdwxevv53rgia._file
Verdict:
malicious
Label(s):
idatloader
Create hunting rule
Similar samples:
06d386ae4129fb339cfd281f14279bcb29885eb9b223eb32c8f3210216434763
a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e
c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990
e73309d0beba872a0bf801573ffbfc53e166f10a812ee4a0ea0cd18000be9f94
error
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence privilege_escalation
Link:
https://tria.ge/reports/250521-njhvnsap3z/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/77c475a8-7136-44ee-ae9c-c464cfbc4848
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DonutLoader

Executable exe c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f

Microsoft Software Installer (MSI) msi deeedfc02b4b964e2dad06c963cccec8633c062bc0eb8e4daa1dae4ad7bb8990

(this sample)

  
Dropped by
MD5 a2033ac1629ce140d14afe46c623d5a7
  
Dropped by
SHA256 c7134c66943d91beea8666e1f6d45f79a3df1ec49b0976d59f71511666eb4f3f
  
URLhaus
https://urlhaus.abuse.ch/url/3547625/
  
Delivery method
Distributed via web download

Comments