MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970
SHA3-384 hash: 5c8bbadc6dc73c2a8d087a4beb812f03a03ba1331bdea9b9bfcbea50d1d8dee916489f0675824339eb81ade819b84680
SHA1 hash: d5841c2b1c264cd536f1dee638aa0da86d03b537
MD5 hash: ddbcf5bce86a087b501cb720b2936065
humanhash: nitrogen-berlin-pennsylvania-white
File name:Sgnd_NF-esViaClientDofXrtx_�ANXRTS.msi
Download: download sample
File size:1'476'096 bytes
First seen:2022-11-11 10:04:30 UTC
Last seen:2022-11-11 11:49:31 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:8Upx/NUYwcv/2qS0Ygll5RRYM/ZX0A412h2SekeUuyZD6lvs0zIa3Lu:8UVUYZ88RRYGZX0AfTreUuyZD6lvVzDi
Threatray 6'906 similar samples on MalwareBazaar
TLSH T1BF659D21338AC13BD9AE0270252996AF6579FDA30B3140D7A3C8293EADF45D16739F53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/332371/
Detection(s):
Sanesecurity.Malware.27358.ScrHeur.Avicii.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/636e1e527662ecf10839b375/reports/3a2af3c2-3f1a-492a-acc9-703405f9394a/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1111244
Signature
Bypasses PowerShell execution policy
Contains functionality to infect the boot sector
Hides threads from debuggers
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses shutdown.exe to shutdown or reboot the system
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 743938 Sample: Sgnd_NF-esViaClientDofXrtx_... Startdate: 11/11/2022 Architecture: WINDOWS Score: 76 53 Yara detected MalDoc 2->53 55 Contains functionality to infect the boot sector 2->55 8 msiexec.exe 3 18 2->8         started        11 IntelGraphicsAGS5507 .exe 3 2->11         started        15 IntelGraphicsAGS5507 .exe 2 2->15         started        17 msiexec.exe 2 2->17         started        process3 dnsIp4 33 C:\Windows\Installer\64a30f.msi, Composite 8->33 dropped 35 C:\Windows\Installer\MSIAB23.tmp, PE32 8->35 dropped 37 C:\Windows\Installer\MSIA8BF.tmp, PE32 8->37 dropped 39 3 other files (none is malicious) 8->39 dropped 19 msiexec.exe 8 8->19         started        51 octa.pumzedydqxnxybwnoakbt.com 5.189.201.64, 443, 49717, 49718 PINDC-ASRU Russian Federation 11->51 63 Query firmware table information (likely to detect VMs) 11->63 65 Hides threads from debuggers 11->65 67 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->67 22 explorer.exe 11->22 injected file5 signatures6 process7 signatures8 57 Bypasses PowerShell execution policy 19->57 24 powershell.exe 17 24 19->24         started        process9 dnsIp10 49 stillmarckemeu.gelattssorvetes.com 173.82.206.146, 443, 49711 MULTA-ASN1US United States 24->49 41 C:\Users\user\AppData\...\sptdintf.dll (copy), PE32+ 24->41 dropped 43 C:\Users\user\...\imgengine.dll (copy), PE32+ 24->43 dropped 45 C:\Users\...\IntelGraphicsAGS5507..exe (copy), PE32+ 24->45 dropped 47 3 other malicious files 24->47 dropped 59 Uses shutdown.exe to shutdown or reboot the system 24->59 61 Powershell drops PE file 24->61 29 conhost.exe 24->29         started        31 shutdown.exe 1 24->31         started        file11 signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bkrijwymkn5e7oq2ihbsmauvq66ekohnfif2obgbn3l67d6vjfya._file
Verdict:
unknown
Similar samples:
0ca5c734d0f935bcb1d2ba2345150127daa31d05dc7b3363a2b5215de83ab16f
47fc82f745787ef02d2e51a15e7ce14ab2a1a278b82a49840a48cc337782aac1
51037666d1982db93e3123e88594d409805d3f1d970e9f926dcadb99f77f50f6
54dc032c3503998eaa404dde9c677851856838e737edb3d198fb7c173562859e
8226b5885ea94def0a895da5a98fdcbd826da231a0eaded5bfa380a84cf8d0d9
93b19478b4902aa33f9722f5dd0c209cd0e7246d4ad6b3837dbe4eb8b103386b
99306ce091ffc74939ea41621dd8e947086f6728083a2ff24aa02e3ae91905bd
a647e223490db9af36e0794732566345a266e8793bc9a3e45ea58b5cbcd8435c
ec7ee9dde198537f08df06105918ea77c1be48e8b988b4a9c3f54e7d27628de8
+ 6'896 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/221111-l4hpashb5x/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/0aa284db0c537a4fba1a41c326029587bc4538ed2a0ba704c16ed7ef8fd54970

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/332371/

Comments