MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 11


Intelligence 11 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d
SHA3-384 hash: d49cf7860b5fa99321d6f61be29fd4a2d764bc31e3d97b58e016fb19800ae205a85bc908c6946407857e266b3f3ed123
SHA1 hash: 6d3435617c755c5d7629b33ef36e6dc647c0edd9
MD5 hash: c2e101d3fba4a09311c1bf8532708993
humanhash: bravo-saturn-uncle-don
File name:cv.msi
Download: download sample
File size:66'048 bytes
First seen:2026-03-01 10:56:25 UTC
Last seen:2026-03-01 11:23:09 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:P3fcyB6ZsGuj38DS3ZRXbmFGtRdFhafuo8NLob2z:ncyB6Mj3JZ8FGtRtaWzNx
TLSH T18853F14271068332D84286364B6FAFD14B746C55AF7B2A4235D7BB9C2E759D01AF3EC0
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika unknown
Reporter smica83
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
54
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
MSI
Details
MSI
an embedded setup program or component
Link:
https://research.acce.ciphertechsolutions.com/results/77a8602b-e45b-472f-8dcb-994bb9a0646d/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/55075/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.96468373.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
70%
Link:
https://cyber-fortress.com/docs/result/index.php?id=69a41b8dc950ab5d9ab2edd1
Tags:
virus spawn
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
CAB crypt evasive installer obfuscated
Link:
https://www.filescan.io/uploads/69a41b8b9eaae8465940f6d6/reports/8a03da1c-3795-467c-9ad5-f58277359752/overview
Verdict:
Suspicious
Labled as:
TR/Malware
Link:
https://www.hybrid-analysis.com/sample/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d
Verdict:
Malicious
File Type:
msi
Link:
https://opentip.kaspersky.com/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d/results?tab=lookup
Result
Threat name:
n/a
Detection:
malicious
Classification:
n/a
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/1876450
Signature
Creates autostart registry keys with suspicious names
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1876450 Sample: cv.msi Startdate: 01/03/2026 Architecture: WINDOWS Score: 52 70 rpc.payload.de 2->70 72 rpc.mevblocker.io 2->72 74 9 other IPs or domains 2->74 86 Multi AV Scanner detection for submitted file 2->86 11 msiexec.exe 84 38 2->11         started        13 node.exe 1 2->13         started        15 node.exe 1 2->15         started        17 msiexec.exe 3 2->17         started        signatures3 process4 process5 19 cmd.exe 1 11->19         started        21 node.exe 13->21         started        23 conhost.exe 13->23         started        25 node.exe 15->25         started        27 conhost.exe 15->27         started        process6 29 cmd.exe 5 19->29         started        31 conhost.exe 19->31         started        33 node.exe 21->33         started        36 node.exe 4 25->36         started        dnsIp7 38 tar.exe 1001 29->38         started        41 node.exe 3 29->41         started        43 curl.exe 2 29->43         started        46 conhost.exe 29->46         started        66 104.18.11.59, 443, 49722 CLOUDFLARENETUS United States 33->66 68 172.66.156.92, 443, 49723 CLOUDFLARENETUS United States 33->68 process8 dnsIp9 58 C:\Users\user\AppData\Local\0BKYbW\...\npx, Bourne-Again 38->58 dropped 60 C:\Users\user\AppData\Local\0BKYbW\...\npm, Bourne-Again 38->60 dropped 62 C:\Users\user\AppData\Local\...\which.js, a 38->62 dropped 64 48 other files (none is malicious) 38->64 dropped 48 cmd.exe 1 41->48         started        50 node.exe 2 41->50         started        82 nodejs.org 172.66.128.70, 443, 49690 CLOUDFLARENETUS United States 43->82 84 127.0.0.1 unknown unknown 43->84 file10 process11 dnsIp12 53 reg.exe 1 1 48->53         started        56 conhost.exe 48->56         started        76 mainnet.gateway.tenderly.co 35.227.193.242, 443, 49696, 49707 GOOGLEUS United States 50->76 78 eth.drpc.org 104.18.10.59, 443, 49701, 49712 CLOUDFLARENETUS United States 50->78 80 6 other IPs or domains 50->80 process13 signatures14 88 Creates autostart registry keys with suspicious names 53->88
Score:
93%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d/
Verdict:
Malicious
Threat:
Trojan-Downloader.Win32.Bitser
Link:
https://tip.neiki.dev/file/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7exz2d42sryca2q3t4f3iuxifo2rcy34z5zvxopdmuliekp3vfoq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution persistence privilege_escalation ransomware
Link:
https://tria.ge/reports/260301-m2ckyadx3h/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Executes dropped EXE
Command and Scripting Interpreter: PowerShell
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f92f9d0f9a9470206a1b9f0bb452e82bb511637ccf735bb9e365168229fba95d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:FreddyBearDropper
Create hunting rule
Author:Dwarozh Hoshiar
Description:Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/55075/

Comments