MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8
SHA3-384 hash: f11b24b1f7d713c9c8332a3cd244a2ea279b8f42ac4c8b63d1e2f79d8217e24cd7f2a45d12406944afc5229b79e50f9d
SHA1 hash: ba3cf83547837441e5edacef833a38a4121a4687
MD5 hash: 69c03ff13a0aaa6bd654322edd5b883e
humanhash: alaska-ink-lemon-wolfram
File name:MAKEEWYK.msi
Download: download sample
File size:9'347'072 bytes
First seen:2025-04-09 13:14:56 UTC
Last seen:2025-04-09 13:14:59 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:KR2xeZWMJbPOhzaYg7aZv6WpJzGJtWeYCmoMTSPQPN:KqeZWU9r7aZCWfeRMePQP
TLSH T17296339225452F43D629383DE3C7DE1521F87C962FD79872244A3387A9F2390AF923D6
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter JAMESWT_WT
Tags:bestieslos-com cdn-jsdelivr-net msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/1364/
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67f67602f9ba909217cddb56
Tags:
shellcode virus spawn
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
adaptive-context crypto fingerprint installer keylogger packed wix
Link:
https://www.filescan.io/uploads/67f672ef6258a97207fc244b/reports/4adbaf66-a01d-42b2-8d4c-c48a304f26c6/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
40 / 100
Link:
https://www.joesandbox.com/analysis/1660844
Signature
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: New RUN Key Pointing to Suspicious Folder
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1660844 Sample: MAKEEWYK.msi Startdate: 09/04/2025 Architecture: WINDOWS Score: 40 61 colidt-frend-cheap.cfd 2->61 73 Multi AV Scanner detection for dropped file 2->73 75 Multi AV Scanner detection for submitted file 2->75 77 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->77 10 msiexec.exe 79 39 2->10         started        13 RoboTaskLite.exe 1 2->13         started        16 ToolSecurityBvg.exe 12 22 2->16         started        18 2 other processes 2->18 signatures3 process4 file5 55 C:\Users\user\AppData\Local\...\vcl280.bpl, PE32 10->55 dropped 57 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 10->57 dropped 59 C:\Users\user\AppData\Local\...\rtl280.bpl, PE32 10->59 dropped 20 RoboTaskLite.exe 6 10->20         started        95 Maps a DLL or memory area into another process 13->95 97 Found direct / indirect Syscall (likely to bypass EDR) 13->97 24 cmd.exe 13->24         started        signatures6 process7 file8 47 C:\Users\user\AppData\Roaming\...\vcl280.bpl, PE32 20->47 dropped 49 C:\Users\user\AppData\Roaming\...\rtl280.bpl, PE32 20->49 dropped 51 C:\Users\user\AppData\...\RoboTaskLite.exe, PE32 20->51 dropped 79 Switches to a custom stack to bypass stack traces 20->79 81 Found direct / indirect Syscall (likely to bypass EDR) 20->81 26 RoboTaskLite.exe 1 20->26         started        53 C:\Users\user\AppData\Local\...\wdrucdduwsdm, PE32+ 24->53 dropped 83 Writes to foreign memory regions 24->83 85 Maps a DLL or memory area into another process 24->85 29 ToolSecurityBvg.exe 24->29         started        31 conhost.exe 24->31         started        signatures9 process10 signatures11 89 Maps a DLL or memory area into another process 26->89 91 Switches to a custom stack to bypass stack traces 26->91 93 Found direct / indirect Syscall (likely to bypass EDR) 26->93 33 cmd.exe 5 26->33         started        process12 file13 43 C:\Users\user\AppData\Local\Temp\knx, PE32+ 33->43 dropped 45 C:\Users\user\AppData\...\ToolSecurityBvg.exe, PE32+ 33->45 dropped 65 Writes to foreign memory regions 33->65 67 Found hidden mapped module (file has been removed from disk) 33->67 69 Maps a DLL or memory area into another process 33->69 71 Switches to a custom stack to bypass stack traces 33->71 37 ToolSecurityBvg.exe 1 33->37         started        41 conhost.exe 33->41         started        signatures14 process15 dnsIp16 63 colidt-frend-cheap.cfd 104.21.27.118, 49720, 49721, 49723 CLOUDFLARENETUS United States 37->63 87 Found direct / indirect Syscall (likely to bypass EDR) 37->87 signatures17
Score:
13%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2025-02-28 18:18:01 UTC
File Type:
Binary (Archive)
Extracted files:
194
AV detection:
11 of 36 (30.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7rlnpnp4vupiihf3abqxjolnap3hfxgsyxjdvugpqsw4kq3wa7ua._file
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/250409-qhe4ha1mz4/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Enumerates connected drives
Adds Run key to start application
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/f9624a08-6b95-4be8-b102-3bbf55787344
Malware family:
HijackLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fc56d7b5fcad/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi fc56d7b5fcad1e841cbb006174b96d03f672dcd2c5d23ad0cf84adc5437607e8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/1364/
  
URLhaus
https://urlhaus.abuse.ch/url/3505506/
  
Delivery method
Distributed via web download

Comments