MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0241a17a20b2cdc613afedfd6f26f952d79613944f0b7435ea2c87a4ad0f9bf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Metamorfo


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments

SHA256 hash: 0241a17a20b2cdc613afedfd6f26f952d79613944f0b7435ea2c87a4ad0f9bf8
SHA3-384 hash: 270374c4d08ed35d634d12aeec1500264a757d7a639dd5b38e21afaec8d15a3b51ed13272e96734df64dce56c0df6944
SHA1 hash: 472b6c2f61e20eb58fe6667ebfcc102a3c9f079d
MD5 hash: d9280cb3f21430278ad6657c04fb1411
humanhash: alabama-foxtrot-seventeen-ceiling
File name:0241a17a20b2cdc613afedfd6f26f952d79613944f0b7435ea2c87a4ad0f9bf8
Download: download sample
Signature Metamorfo
File size:2'027'008 bytes
First seen:2025-02-21 19:51:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:akvBx5NlduPYAGxUherZNh0lhSMXlrI5s2JK5kmw5Vt9kQNmBUGF/pWRTg:bv/qP5Ferq7I5RJK5k1IQCpcg
TLSH T15995BF21B3CBC522E66D0277F92DFE2E143DBD63073040D77AE9795A5C748C2667AA02
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter johnk3r
Tags:185-101-93-233 185-101-93-72 banker MetaMorfo msi

Intelligence


File Origin
# of uploads :
1
# of downloads :
50
Origin country :
CH CH
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Tags:
shellcode dropper virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
adaptive-context cmd fingerprint lolbin obfuscated remote wix
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Signature
Creates multiple autostart registry keys
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1621365 Sample: 4y0bSOT883.msi Startdate: 21/02/2025 Architecture: WINDOWS Score: 76 42 Multi AV Scanner detection for submitted file 2->42 44 PE file contains section with special chars 2->44 46 Tries to evade analysis by execution special instruction (VM detection) 2->46 48 Switches to a custom stack to bypass stack traces 2->48 7 msiexec.exe 3 18 2->7         started        10 rundll32.exe 2->10         started        12 msiexec.exe 3 2->12         started        14 4 other processes 2->14 process3 file4 30 C:\Windows\Installer\MSID661.tmp, PE32 7->30 dropped 32 C:\Windows\Installer\MSID602.tmp, PE32 7->32 dropped 34 C:\Windows\Installer\MSID5C3.tmp, PE32 7->34 dropped 36 2 other malicious files 7->36 dropped 16 msiexec.exe 6 36 7->16         started        process5 dnsIp6 38 185.101.93.233, 49731, 80 MYVIRTUALSERVERmyVirtualserverDE Germany 16->38 24 C:\ProgramData\USOShared\...\in_flac.dll, PE32 16->24 dropped 26 C:\ProgramData\USOShared\...\coolplayer+.dll, PE32 16->26 dropped 28 C:\ProgramData\...\R0CGQ6wctyIA..exe (copy), PE32 16->28 dropped 20 R0CGQ6wctyIA .exe 2 1 16->20         started        file7 process8 dnsIp9 40 185.101.93.72 MYVIRTUALSERVERmyVirtualserverDE Germany 20->40 50 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 20->50 52 Query firmware table information (likely to detect VMs) 20->52 54 Creates multiple autostart registry keys 20->54 56 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->56 signatures10
Threat name:
Win32.Trojan.Znyonm
Status:
Malicious
First seen:
2025-02-21 19:51:16 UTC
File Type:
Binary (Archive)
Extracted files:
212
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  6/10
Tags:
discovery persistence privilege_escalation
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Blocklisted process makes network request
Enumerates connected drives
Verdict:
Malicious
Tags:
stealer metamorfo
YARA:
metamorfo_msi
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Rule name:metamorfo_msi
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:Suspicious_Latam_MSI_and_ZIP_Files
Author:eremit4, P4nd3m1cb0y
Description:Detects suspicious .msi and .zip files used in Latam banking trojan campaigns.
Rule name:suspicious_msi_file
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments