YARAify Scan Results
You are viewing the YARAify database entry for the file with the SHA256 hash 857ef0245d9f0f6782b8349cd3982d9400fa5100b1bb8b2197d4610b63d1da11.
Scan Results
| SHA256 hash: | 857ef0245d9f0f6782b8349cd3982d9400fa5100b1bb8b2197d4610b63d1da11 | |
|---|---|---|
| File size: | 2'878'464 bytes | |
| File download: | Original | |
| MIME type: | application/x-msi | |
| MD5 hash: | 994c0f0e110c35bb881a8d6a98eaab40 | |
| SHA1 hash: | cfdc4a866f958e1efa4fbb1b79a1b5e2ff9ae039 | |
| SHA3-384 hash: | 6460110f0b0d09aadd8fd1b9a98c5ef74e55e1b7ff34787074d7eead4f1296609ede97ebe45a230fd4798a1e826190ec | |
| First seen: | 2026-03-18 23:23:10 UTC | |
| Last seen: | 2026-03-18 23:36:15 UTC | |
| Sightings: | 3 | |
| imphash : | n/a | |
| ssdeep : | 49152:V2NJrMf+7UVZDEFe1qYaZrf5jSTUialii4vLNgmUESIEjPMN2lv+oBtYRMV3eVoW:cq+hjSTB1i4veHjPMNaJYRMV39qAM | |
| TLSH : | n/a | |
| telfhash : | n/a | |
| gimphash : | n/a | |
| dhash icon : | n/a | |
Tasks
There are 3 tasks on YARAify for this particular file. The 10 most recent ones are shown below.
Task Information
| Task ID: | 4158649a-2323-11f1-b47f-42010aa4000b | |
|---|---|---|
| File name: | 857ef0245d9f0f6782b8349cd3982d9400fa5100b1bb8b2197d4610b63d1da11.msi | |
| Task parameters: | ClamAV scan: | True |
| Unpack: | False | |
| Share file: | True | |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
| Signature: | Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL |
|---|
| Signature: | Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL |
|---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
| Rule name: | classified |
|---|---|
| Author: | classified |
| Description: | classified |
| TLP : | TLP:AMBER |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | Detect_MSI_LATAM_Banker_From_LatAm |
|---|---|
| Author: | |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | detect_powershell |
|---|---|
| Author: | daniyyell |
| Description: | Detects suspicious PowerShell activity related to malware execution |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Suspicious_Process |
|---|---|
| Author: | Security Research Team |
| Description: | Suspicious process creation |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | WIN_ClickFix_Detection |
|---|---|
| Author: | dogsafetyforeverone |
| Description: | Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands |
| Reference: | ClickFix social engineering and malicious PowerShell commands |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter
Task Information
| Task ID: | 03fd6482-2323-11f1-b47f-42010aa4000b | |
|---|---|---|
| File name: | 994c0f0e110c35bb881a8d6a98eaab40 | |
| Task parameters: | ClamAV scan: | True |
| Unpack: | False | |
| Share file: | True | |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
| Signature: | Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL |
|---|
| Signature: | Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL |
|---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
| Rule name: | classified |
|---|---|
| Author: | classified |
| Description: | classified |
| TLP : | TLP:AMBER |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | Detect_MSI_LATAM_Banker_From_LatAm |
|---|---|
| Author: | |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | detect_powershell |
|---|---|
| Author: | daniyyell |
| Description: | Detects suspicious PowerShell activity related to malware execution |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Suspicious_Process |
|---|---|
| Author: | Security Research Team |
| Description: | Suspicious process creation |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | WIN_ClickFix_Detection |
|---|---|
| Author: | dogsafetyforeverone |
| Description: | Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands |
| Reference: | ClickFix social engineering and malicious PowerShell commands |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
Unpacker
The following YARA rules matched on the unpacked file.
Disabled by submitter
Unpacked Files
The following files could be unpacked from this sample.
Disabled by submitter
Task Information
| Task ID: | 6dfcf536-2321-11f1-b47f-42010aa4000b | |
|---|---|---|
| File name: | resources.msi | |
| Task parameters: | ClamAV scan: | True |
| Unpack: | True | |
| Share file: | True | |
ClamAV Results
The file matched the following open source and commercial ClamAV rules.
| Signature: | Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL |
|---|
| Signature: | Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL |
|---|
YARA Results
Static Analysis
The following YARA rules matched on the file (static analysis).
| Rule name: | classified |
|---|---|
| Author: | classified |
| Description: | classified |
| TLP : | TLP:AMBER |
| Rule name: | DebuggerCheck__API |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | DebuggerCheck__QueryInfo |
|---|---|
| Reference: | https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara |
| TLP: | TLP:WHITE |
| Rule name: | Detect_MSI_LATAM_Banker_From_LatAm |
|---|---|
| Author: | |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | detect_powershell |
|---|---|
| Author: | daniyyell |
| Description: | Detects suspicious PowerShell activity related to malware execution |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Detect_PowerShell_Obfuscation |
|---|---|
| Author: | daniyyell |
| Description: | Detects obfuscated PowerShell commands commonly used in malicious scripts. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | FreddyBearDropper |
|---|---|
| Author: | Dwarozh Hoshiar |
| Description: | Freddy Bear Dropper is dropping a malware through base63 encoded powershell scrip. |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | MD5_Constants |
|---|---|
| Author: | phoul (@phoul) |
| Description: | Look for MD5 constants |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | NET |
|---|---|
| Author: | malware-lu |
| TLP: | TLP:WHITE |
| Repository: |
| Rule name: | Sus_CMD_Powershell_Usage |
|---|---|
| Author: | XiAnzheng |
| Description: | May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP) |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | Suspicious_Process |
|---|---|
| Author: | Security Research Team |
| Description: | Suspicious process creation |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
| Rule name: | WIN_ClickFix_Detection |
|---|---|
| Author: | dogsafetyforeverone |
| Description: | Detects ClickFix social engineering technique using 'Verify you are human' messages and malicious PowerShell commands |
| Reference: | ClickFix social engineering and malicious PowerShell commands |
| TLP: | TLP:WHITE |
| Repository: | YARAify |
Unpacker
The following YARA rules matched on the unpacked file.
No matches
Unpacked Files
The following files could be unpacked from this sample.
No unpacked files found