MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be1ff9ea0cd1d99838eedabc9d4faba081d1fbf9c7c94d2575b70c64ba2298ed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Casbaneiro

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	be1ff9ea0cd1d99838eedabc9d4faba081d1fbf9c7c94d2575b70c64ba2298ed
SHA3-384 hash:	a2fb132d61cd0836aa2b53864bf7f9223fe4b8062e72f6dfb1f672e560280e921d69fd21d7bfe09cb1f7d7977fd66d17
SHA1 hash:	18171cd193dc33447a9e9fefe23f957c704b5063
MD5 hash:	98ee294a855c8bf1ca24b30ff2ce7f44
humanhash:	cup-jersey-don-five
File name:	FACT-5RU374UR5ND2TAJ1#______________________________________________#mx.msi
Download:	download sample
Signature	Casbaneiro Create hunting rule
File size:	16'545'280 bytes
First seen:	2020-11-20 05:43:21 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:YxVwHsizePUiJzMGYru4uYSb8jSdhH5bczk/+GH/mrrhdnp7Iop:YxHjPMXru4uYzjS7H5bcQInpko
Threatray	16 similar samples on MalwareBazaar
TLSH	0AF6C023B688A53ED0AA0A7A4437E55C993F7A723912CC5F67F4098C4F359806B3B717
Reporter	JAMESWT_WT
Tags:	casbaneiro msi spy

Intelligence

File Origin

# of uploads :

1

# of downloads :

121

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be1ff9ea0cd1d99838eedabc9d4faba081d1fbf9c7c94d2575b70c64ba2298ed/

Threat name:

Document-OLE.Trojan.Banbra

Status:

Malicious

First seen:

2020-11-19 19:29:29 UTC

File Type:

Binary (Archive)

Extracted files:

260

AV detection:

4 of 29 (13.79%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

090875aa772527ebf603d65d2895f4a21e85b150983e9a40ff3d52314f844b70

38c4baea01347f88b497f928343cb19d1e68a693369da7cecdde067281e26fa9

673f9c2552c570917771e358a1db92e4e7af8b9d885f325cf9408ab1f65b4520

76eab867aae0dcb9ec96ed5fca30fc051ac776981fa997c0b2b0e09905932aa6

9f0d3b49b6eea3eff22dce2838b10e8e3b03c45f31212f8d26ae31cd576f1104

acd0ae8b296ee3fd7d01547b5220877770538fb76144b237f81377e3241726b3

b171d7cebed4d9ba4e5a119286ad18d0a6460155dd2be2af522739f0549ca0c8

bbf1cebce86dde95f8a66414a1106ae2494b57c7b3d36d6df16b8ddef74e6346

c55d93f8c25e4ed3886cc125f129ded48bf781990a143cbe5996f38fd2ab7fc7

dddaa72573b6b7c2fa0559290c70ee18c5a0236bf43d99bd1c7fb866929ea6e8

+ 6 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/201120-t3c27zye6n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

JavaScript code in executable

Loads dropped DLL

Blacklisted process makes network request

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample