MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
SHA3-384 hash: 644b915b201bc2d6d3647e50162d4b6864db8b8476134c0f65e289705147ba855f7f39d412d77d4cd0165e247d603f6e
SHA1 hash: 338829d2c88f430b0d00bfb03ad8a43649b4e1d8
MD5 hash: f2836216ca554dfdc8a300decb644911
humanhash: harry-queen-west-network
File name:FORM_PIX XJTVCZG.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:976'384 bytes
First seen:2021-10-25 08:36:14 UTC
Last seen:2021-10-25 15:29:20 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:zRvtkeYe9oWVRT7FOfOBffR0YcBTTpVtp+GHABYP:zRj9oWVRT7FygfR0YwT1Vtp+GHABY
Threatray 1'306 similar samples on MalwareBazaar
TLSH T14E258D217296C537C97E0570352ECBAB05297EB04BB284EB63C86D2F1D729C25371EA7
Reporter AndreGironda
Tags:MetaMorfo msi


Avatar
AndreGironda
MITRE T1566.001
Date: Mon, 25 Oct 2021 00:00-00:30 +0000 (UTC)
Received: from f79.user-online01.com (52.243.78.50)
content-type: text/html
Subject: ✅ <removed>, Pix Recebido com Sucesso- - ID:914767914767
From: BCO-CENTRAL <gerencia-central86236@f79.user-online01.com>
Message-Id: <20211025002820.F02423FB76@f79.user-online01.com>
Return-Path: root@f79.user-online01.com
Malicious URL: hXXps://res.cloudinary[.]com/dpxbbemsn/raw/upload/v1634858510/chegouseupix_d2av9g.html
Microsoft Installer Name: FORM_PIX XJTVCZG.msi
MSI SHA256: 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Unpacked DLL 1 SHA256: 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
Unpacked DLL 2 SHA256: 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b
Unpacked Executable SHA256: 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
Stage 1 URL: hXXp://ec2-18-231-149-132.sa-east-1.compute.amazonaws[.]com/mod2.zip
Stage 2 URL: hXXps://759c87514850247c.s3.us-east-2.amazonaws[.]com/0321F9132EC97FDC5EE532FF.zip
Stage 3 URL: hXXps://unterteks.eastus2.cloudapp.azure[.]com/gbuster/barman.php
Stage 4 URL: hXXps://pspentregasonline[.]com/cor/amarelo.txt
Stage 1 Zipfile Name: mod2.zip
Stage 1 Zipfile SHA256: e44b18cfc6e3ae2e161f1c5bf59716754f734a48b8cda07e42f32bc55bc07a4f
Unzipped DLL Name: rqvufRfLLN.dll
Culebra Variant DLL SHA256: 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
Unpacked Culebra Variant DLL SHA256: e6bf7bc4b7f5235a307f5253ef3595d8aa50fefcfdb141d0e75c108676a584cd
C2: 20.206.126.228:55516

Intelligence

File Origin
# of uploads :
2
# of downloads :
231
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199851/
Detection(s):
SecuriteInfo.com.JS.Obfus-679.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-1914.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/6176a380db358dd15ed932aa/reports/3d98d742-4f8d-4f96-bfb5-59664257ecfa/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/875150
Signature
Contains functionality to create processes via WMI
Creates processes via WMI
Machine Learning detection for dropped file
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507576 Sample: FORM_PIX EYMVDUI.msi Startdate: 22/10/2021 Architecture: WINDOWS Score: 60 62 Machine Learning detection for dropped file 2->62 64 PE file has nameless sections 2->64 66 Contains functionality to create processes via WMI 2->66 8 msiexec.exe 11 34 2->8         started        11 AEUOFCitSdzv.exe 2 2->11         started        14 AEUOFCitSdzv.exe 2->14         started        16 msiexec.exe 2 2->16         started        process3 dnsIp4 42 C:\Windows\Installer\MSICCA3.tmp, PE32 8->42 dropped 44 C:\Windows\Installer\MSIC8B9.tmp, PE32 8->44 dropped 46 C:\Windows\Installer\MSIC694.tmp, PE32 8->46 dropped 48 3 other files (none is malicious) 8->48 dropped 18 msiexec.exe 7 42 8->18         started        56 20.206.126.228, 49771, 49772, 55551 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->56 58 pspentregasonline.com 52.168.25.36, 443, 49770 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 11->58 60 192.168.2.1 unknown unknown 11->60 22 cmd.exe 1 11->22         started        file5 process6 dnsIp7 50 ec2-18-231-149-132.sa-east-1.compute.amazonaws.com 18.231.149.132, 49748, 80 AMAZON-02US United States 18->50 52 s3-r-w.us-east-2.amazonaws.com 52.219.99.50, 443, 49750 AMAZON-02US United States 18->52 54 759c87514850247c.s3.us-east-2.amazonaws.com 18->54 34 C:\Users\user\oByCKKjCfIcs\bassmidi.dll, PE32 18->34 dropped 36 C:\Users\user\oByCKKjCfIcs\Isname.name, PE32 18->36 dropped 38 C:\Users\user\oByCKKjCfIcs\AEUOFCitSdzv.zip, Zip 18->38 dropped 40 13 other files (none is malicious) 18->40 dropped 25 WMIC.exe 1 18->25         started        68 Uses schtasks.exe or at.exe to add and modify task schedules 22->68 28 conhost.exe 22->28         started        30 schtasks.exe 1 22->30         started        file8 signatures9 process10 signatures11 70 Creates processes via WMI 25->70 32 conhost.exe 25->32         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f/
Threat name:
Script-JS.Trojan.Bomber
Create hunting rule
Status:
Malicious
First seen:
2021-10-22 23:08:52 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=suoc6na6sfdacfakvhvnawev62kx2xf73kalqg7jsak5fpqc2rhq._file
Verdict:
malicious
Similar samples:
0f072c9ed41be4f8a023d20af8e0a49f432a27e74e79cfb434270c0c87ea9e85
Metamorfo
2959cc74425b45398b7195a26a779dedba3a7cfb28387e50f5b270dda38dd665
Metamorfo
31e7e054709f5b627f50b6b26f95c6e0536c7d03361c16c9677c70fe327a7181
Metamorfo
36cbc77a5caaf8f805bc7347ee4cd27657fca600ea5e202e633aca7a09d73297
Metamorfo
43fd44a53e16097ae8b813e48be98cddfce369cd515efa1383fd0ea0b5a4c0bc
Metamorfo
455f27d80de4e45fd405ae467ed2a7b9f8a1e050a27833d79b9ce05a6d72cef4
Metamorfo
49f515b1faaa4273a6c3f3faf8289d685d14a5cbbe84497e9a1f29e77c6cce74
Metamorfo
89e3b00acfc8b0904398665280312cf9a2b426db3eb77b2e5303131de48a2dde
Metamorfo
e5c7a8e3c41afa656fe8a0db72a99f86f93aa4085dd1860aa1dd67099ac228aa
Metamorfo
+ 1'296 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/211025-kh522afhe8/
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Metamorfo

Microsoft Software Installer (MSI) msi 951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f

(this sample)

Banload

DLL dll 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b

  
Link
https://tria.ge/211025-c7zybafeb5
  
Link
https://app.any.run/tasks/492835fc-937e-4b02-8c30-f26d6ddb0740
Malpedia
Malpedia
https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio
  
Link
https://www.crowdstrike.com/blog/covid-19-cyber-threats/
  
Dropping
SHA256 5b6cdda58dabeb641d45086144e3b2e92ae1ba2c7a10cfdb4c6db09ca971d45b
  
Dropping
SHA256 23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
  
Dropping
SHA256 2f8b16754738ee4c6bbc63da55e8162f75906b62991081b81e8ca24552123025
  
Dropping
SHA256 35a42f9ea63f72cda8a6c7af60a3fac081154128cba2bf7a7392d85383b6d18a
  
Dropping
SHA256 e44b18cfc6e3ae2e161f1c5bf59716754f734a48b8cda07e42f32bc55bc07a4f
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/199851/

Comments