MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 14


Intelligence 14 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
SHA3-384 hash: 5b91ee46010ac9c342ae6a5c84f4b13ccdd464b01e35a7acd8df79eeb2fbb8a841dfcbbf6c2f64584fd58529c7974b04
SHA1 hash: 440c59e17f46ea1a6025cab3306f11f1cd3315d9
MD5 hash: ee06d030915ad8c2d1c1a08d6b3eaa2e
humanhash: seventeen-stairway-lion-beryllium
File name:wth.malz.msi
Download: download sample
File size:1'040'384 bytes
First seen:2025-12-16 21:37:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:Vi2igWQ/sxILKiBGnkdy/vLR08iLF1QlTIrSLD6K:I2BzLK/8ynF0PF1lo6K
Threatray 12 similar samples on MalwareBazaar
TLSH T1F22533A9A514A00FE2D71E7CCCAE26BCA36D9C15DB5810527BD3B2FFBD73A0052905A1
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter smica83
Tags:msi Plugx

Intelligence

File Origin
# of uploads :
1
# of downloads :
53
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/12a4d74d-9b8a-4159-a4fe-c6c082f9a20e/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/45278/
Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6941d1484d2b81828c3b5893
Tags:
n/a
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug evasive installer installer masquerade
Link:
https://www.filescan.io/uploads/6941d1453f8fdbf8e9487b5b/reports/c11d8cd1-34e3-41d1-a389-a6a05d531dfe/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
File Type:
msi
First seen:
2025-12-16T18:47:00Z UTC
Last seen:
2025-12-18T09:08:00Z UTC
Hits:
~10
Detections:
Trojan.Win32.Dedok.sb HEUR:Trojan.OLE2.Alien.gen
Link:
https://opentip.kaspersky.com/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1834383
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Joe Sandbox ML detected suspicious sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Suricata IDS alerts for network traffic
Unusual module load detection (module proxying)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1834383 Sample: wth.malz.msi Startdate: 16/12/2025 Architecture: WINDOWS Score: 92 34 doorforum.com 2->34 36 us1.roaming1.live.com.akadns.net 2->36 38 10 other IPs or domains 2->38 46 Suricata IDS alerts for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 Joe Sandbox ML detected suspicious sample 2->52 8 msiexec.exe 83 37 2->8         started        11 steam_monitor.exe 2->11         started        14 steam_monitor.exe 2->14         started        16 msiexec.exe 3 2->16         started        signatures3 process4 file5 30 C:\Users\user\AppData\...\steam_monitor.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\...\crashhandler.dll, PE32 8->32 dropped 18 steam_monitor.exe 9 7 8->18         started        60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->60 62 Found evasive API chain (may stop execution after checking mutex) 11->62 64 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 11->64 66 2 other signatures 11->66 signatures6 process7 dnsIp8 40 doorforum.com 104.21.87.154, 443, 49690, 49695 CLOUDFLARENETUS United States 18->40 26 C:\ProgramData\...\steam_monitor.exe, PE32 18->26 dropped 28 C:\ProgramData\...\crashhandler.dll, PE32 18->28 dropped 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->54 56 Unusual module load detection (module proxying) 18->56 58 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->58 23 WINWORD.EXE 119 104 18->23         started        file9 signatures10 process11 dnsIp12 42 part-0041.t-0009.t-msedge.net 13.107.246.69, 443, 49697 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->42 44 osiprod-ncus-buff-azsc-000.northcentralus.cloudapp.azure.com 52.109.16.112, 443, 49692 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 23->44
Score:
88%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
Verdict:
Malware
YARA:
4 match(es)
Tags:
CAB:COMPRESSION:LZX Corrupted Executable Office Document PDB Path PE (Portable Executable) PE File Layout
Link:
https://app.malva.re/file/ee06d030915ad8c2d1c1a08d6b3eaa2e
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c/
Verdict:
Susipicious
Link:
https://tip.neiki.dev/file/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
Threat name:
Win32.Trojan.Etset
Create hunting rule
Status:
Malicious
First seen:
2025-12-16 21:38:16 UTC
File Type:
Binary (Archive)
Extracted files:
39
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=65zkrh6xbkrq6rllafwwph4p4yugbzpruwr3jfhj76hg7ukd7sga._file
Verdict:
malicious
Label(s):
canonstager
Create hunting rule
doplugs
Create hunting rule
Similar samples:
8c0051a83b3611ff2b669b670aa005633f3d9e844454a112b31d2a4bc944a234
c4e3c29367426fe4ed718ab448fbdf2cf8690c81ea539805569cdff88317db9f
error
f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
adware discovery persistence privilege_escalation ransomware spyware
Link:
https://tria.ge/reports/251216-1g5b4sew3a/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/5b71dee8-5d44-415d-9b8e-8f5a547c0c2d
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f772a89fd70aa30f456b016d679f8fe62860e5f1a5a3b494e9ff8e6fd143fc8c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/45278/

Comments