MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466
SHA3-384 hash: 306581fcd7a61ed5dec7e1e8d169e85974a7c9213bed62fe2194d4849a78e68710dd821666cbd492a870551e867d52ee
SHA1 hash: 91a75535941b373b40b768aa6fcafe9670aac1ef
MD5 hash: de9f22501e06c2d0ecaf14862823d457
humanhash: venus-spring-uniform-carpet
File name:de9f22501e06c2d0ecaf14862823d457.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:270'336 bytes
First seen:2021-10-07 09:48:25 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:Fmci/0903DaYGAxwgz88ereWn/7w05g0yMcB3RUN46ILJ9+ZB5yOanHI:FmZ3DaYGAM8er1nzTrrgI
Threatray 4 similar samples on MalwareBazaar
TLSH T125447D06B3D5437AE4DB13322B8F93628B72EC788663412B1259750E2EF1554B7B73E2
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/195798/
Detection(s):
SecuriteInfo.com.RDMK.cmRtazpKxKzi0pVLtXUmAmezzdjf.17904.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-679.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-1914.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/615ec29098a6280f39338bcb/reports/271e5cd3-6074-4ce1-a45e-26d4eea9bf74/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/866232
Signature
Allocates memory in foreign processes
Contains functionality to create processes via WMI
Creates a thread in another existing process (thread injection)
Creates autostart registry keys with suspicious names
Creates processes via WMI
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 498661 Sample: UT3vK4jelb.msi Startdate: 07/10/2021 Architecture: WINDOWS Score: 72 49 chacaranggtanovoaurhj.com 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Contains functionality to create processes via WMI 2->53 9 msiexec.exe 9 28 2->9         started        12 xLwfz.exe 2 2->12         started        15 msiexec.exe 2 2->15         started        signatures3 process4 file5 37 C:\Windows\Installer\MSIE351.tmp, PE32 9->37 dropped 39 C:\Windows\Installer\MSIE18B.tmp, PE32 9->39 dropped 17 msiexec.exe 4 25 9->17         started        59 Writes to foreign memory regions 12->59 61 Allocates memory in foreign processes 12->61 63 Creates a thread in another existing process (thread injection) 12->63 21 iexplore.exe 1 12->21         started        signatures6 process7 dnsIp8 41 s3-r-w.sa-east-1.amazonaws.com 52.95.165.51, 443, 49748 AMAZON-02US United States 17->41 43 4smhuttsd.s3.sa-east-1.amazonaws.com 17->43 29 C:\Users\user\...\xLwfz.exe (copy), PE32 17->29 dropped 31 C:\Users\user\Saved Games\...\bin.exe, PE32 17->31 dropped 33 C:\Users\user\Saved Games\...\xLwfz.zip, Zip 17->33 dropped 35 6 other files (2 malicious) 17->35 dropped 24 WMIC.exe 1 17->24         started        45 www.goole.com 21->45 47 chacaranggtanovoaurhj.com 21->47 55 Creates autostart registry keys with suspicious names 21->55 file9 signatures10 process11 signatures12 57 Creates processes via WMI 24->57 27 conhost.exe 24->27         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466/
Threat name:
Script.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2021-10-07 09:49:10 UTC
AV detection:
7 of 45 (15.56%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckdd5uhipjbec2hgu3chaakgbgz43vzfhvfk3moreisr6ru7krta._file
Verdict:
malicious
Similar samples:
36417eb2ecdbb537b9679f959a8ab356e954f1a1ae200a360f7fed963c8d04e2
Metamorfo
790909ebcaccbec6c7af481f9e9b6789a58b2ddf3a2de58da4b9b152d852ee07
Metamorfo
8b906b8a552f85d6d5cc79f2416adec2cb935607b4ab27636f23cddd53320cf4
Metamorfo
c2b9f355b3d1eb9bd61e54c75d9909bf412028afd6a1719ac2ea3748e086ee64
Metamorfo
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro persistence xlm
Link:
https://tria.ge/reports/211007-ltcejacbg6/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies Control Panel
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/12863ed0e87a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Metamorfo

Microsoft Software Installer (MSI) msi 12863ed0e87a424168e6a6c470014609b3cdd7253d4aadb1d122251f469f5466

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1658657/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1658661/
  
URLhaus
https://urlhaus.abuse.ch/url/1659263/
  
URLhaus
https://urlhaus.abuse.ch/url/1659266/
Cape
Cape
https://www.capesandbox.com/analysis/195798/

Comments