MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d
SHA3-384 hash: 357b7e8d8ff9d1b1549b6e799f3b4db66291c925eda366a1c6e8e26b682c6ff5ce9a717fa639097c3808319fbec4f7a9
SHA1 hash: 11bd59d0f6d87ad7ba3f5ef48407a05e72891687
MD5 hash: 40fe268d3b25428d1989db3a29d9cbfb
humanhash: diet-purple-pasta-pennsylvania
File name:informa-protestos444-bu9EXDnV.msi
Download: download sample
File size:539'136 bytes
First seen:2021-10-20 06:57:35 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:c2qDYvjJDJdQflxuOhr6IF3CP5pu1jLkHMt5O3At:c2KYvjJDJdMxuqjFt83A
Threatray 118 similar samples on MalwareBazaar
TLSH T14FB48D1172DAC933D6BE06703A2AD35A45697D2047F2C8EF53C82E5E1EB25C15237FA2
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
224
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/198757/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/616fbdfe9a5a1e91c5c715f2/reports/9e3c24c9-8955-4e30-be37-e9725b56d25c/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/873623
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Hides threads from debuggers
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 506050 Sample: informa-protestos444-bu9EXDnV.msi Startdate: 20/10/2021 Architecture: WINDOWS Score: 84 79 Antivirus detection for dropped file 2->79 81 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->81 83 Connects to a pastebin service (likely for C&C) 2->83 85 PE file contains section with special chars 2->85 9 7KLtb .exe 8 8 2->9         started        14 msiexec.exe 9 31 2->14         started        16 7KLtb .exe 2 2->16         started        18 3 other processes 2->18 process3 dnsIp4 73 fastsblended.net 9->73 75 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49764 DROPBOXUS United States 9->75 77 4 other IPs or domains 9->77 57 C:\Bezerk_Nintendo  \imguser.dll, PE32+ 9->57 dropped 59 C:\Bezerk_Nintendo  \F22dFrk.exe, PE32+ 9->59 dropped 61 C:\Bezerk_Nintendo  \sptdintf.dll, PE32+ 9->61 dropped 91 Query firmware table information (likely to detect VMs) 9->91 93 Hides threads from debuggers 9->93 95 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->95 20 cmd.exe 1 9->20         started        63 C:\Windows\Installer\MSICF22.tmp, PE32 14->63 dropped 65 C:\Windows\Installer\MSICDF8.tmp, PE32 14->65 dropped 67 C:\Windows\Installer\MSICCCE.tmp, PE32 14->67 dropped 69 2 other files (none is malicious) 14->69 dropped 23 msiexec.exe 4 9 14->23         started        file5 signatures6 process7 dnsIp8 87 Uses cmd line tools excessively to alter registry or file data 20->87 27 reg.exe 1 1 20->27         started        30 conhost.exe 20->30         started        71 stopshopping.net 3.142.232.194, 443, 49757 AMAZON-02US United States 23->71 49 C:\userlDQYd \imguser.dll, PE32+ 23->49 dropped 51 C:\userlDQYd.\7KLtb..exe (copy), PE32+ 23->51 dropped 53 C:\userlDQYd \sptdintf.dll, PE32+ 23->53 dropped 55 C:\userlDQYd \01HJtcPMoBNjPXkOBXs3cXa7TRk, PE32+ 23->55 dropped 32 cmd.exe 1 23->32         started        34 cmd.exe 1 23->34         started        file9 signatures10 process11 signatures12 97 Creates multiple autostart registry keys 27->97 99 Uses cmd line tools excessively to alter registry or file data 32->99 101 Uses shutdown.exe to shutdown or reboot the system 32->101 36 reg.exe 1 1 32->36         started        39 conhost.exe 32->39         started        41 shutdown.exe 1 34->41         started        43 conhost.exe 34->43         started        process13 signatures14 89 Creates multiple autostart registry keys 36->89 45 conhost.exe 36->45         started        47 conhost.exe 41->47         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2021-10-20 06:58:06 UTC
AV detection:
5 of 44 (11.36%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bzxnjscycn4hyfagivrxup4fibjune6k4gcg32jnbycbfy4opogq._file
Verdict:
unknown
Similar samples:
0705fe9b304bb863cc3e69938d64ddf73161b1231c4899505d70638926685f13
185e7914fb334360e83bb85bc6cdf7e3311b77f49197748b271803484050d38d
273179a54afa27a94c551c25219367773755bd1e90ce97fcf6a531796fd05413
276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584
4320f2599b5f81fb714332fd4c804501dc91d14feec18b42ab0e37def23755de
533e5aced548178da1ba313246e0335fc73d228135ab56f40a1b4bc72fc0a134
766813a2d32e70dd895aa89f769d1db2e6acbb4107b3712775902da1ca6eff53
c5f8a697a886ddb9e866d2e9b7585c49f104ae15cc3cb480b54b2575368ab6fc
e8bbbdadb67d7e6046a13a4c88ff17d2fa524b782409d0c9b368fa0d7a774916
e9200c8a5ccb0bca2e40d3f618b056a552fbd7247396904a0d8ea70164fee886
+ 108 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211020-hrh8hshffr/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/198757/

Comments