MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d
SHA3-384 hash: a3102ee9d51ddb73668bae3da55586370a4793fb7af69d058dd350511798c7a2980021eaabcdbe808a55d8173e2da38f
SHA1 hash: 9cbfaaed1f5ba269c2daa74671229cdaaecf8799
MD5 hash: ffbb262dccc775d15086ac4faf75b61b
humanhash: music-tango-beryllium-whiskey
File name:WCSetupv1.21.1025.30736_Upgrade.msi
Download: download sample
File size:3'438'592 bytes
First seen:2023-08-08 09:32:11 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:YavYX5T68otYLN4bFvr/7RaKAbXGQt56YK1JeXl2aCDjKTEbpTglnOb0kSURn5dE:JYCtLAme4jKwbGOIzUy7Y3EKJZHk1
Threatray 7 similar samples on MalwareBazaar
TLSH T17BF5F11275C2C532D17E02702A28EB7A457EBE200BB199DB63DC5F2E1E725C25632F67
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 0xInjuxtice
Tags:msi signed

Code Signing Certificate

Organisation:Millennial Media Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2022-02-28T00:00:00Z
Valid to:2023-02-28T23:59:59Z
Serial number: 0a253234e29f318f9b6846682e99078d
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 420b0b9bd9773ebb3d9632019283ca919929c8a4a1f94b8b390493f55ab17442
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
GB GB
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/441282/
Detection(s):
Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm control lolbin remote shell32 virus
Link:
https://www.filescan.io/uploads/64d20bcfab41059bd4c8a7ce/reports/27807e31-de59-4097-86f6-6a7a6e113f79/overview
Verdict:
Malicious
Labled as:
AdWare.OLE2.BlazeMedia
Link:
https://www.hybrid-analysis.com/sample/18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1287606
Signature
Bypasses PowerShell execution policy
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Found suspicious powershell code related to unpacking or dynamic code loading
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Suspicious powershell command line found
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1287606 Sample: WCSetupv1.21.1025.30736_Upg... Startdate: 08/08/2023 Architecture: WINDOWS Score: 88 59 dkf201.com 2->59 61 d2vtta4ibs40qt.cloudfront.net 2->61 71 Multi AV Scanner detection for dropped file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Suspicious powershell command line found 2->75 77 Yara detected Generic Downloader 2->77 9 msiexec.exe 92 37 2->9         started        13 powershell.exe 20 11 2->13         started        16 powershell.exe 16 2->16         started        18 3 other processes 2->18 signatures3 process4 dnsIp5 47 C:\Windows\Installer\MSIE789.tmp, PE32 9->47 dropped 49 C:\Windows\Installer\MSI6BBB.tmp, PE32 9->49 dropped 51 C:\Windows\Installer\MSI6704.tmp, PE32 9->51 dropped 53 7 other files (6 malicious) 9->53 dropped 81 Creates autostart registry keys with suspicious values (likely registry only malware) 9->81 83 Creates multiple autostart registry keys 9->83 85 Creates an autostart registry key pointing to binary in C:\Windows 9->85 20 msiexec.exe 15 9->20         started        63 dkf201.com 18.165.183.70, 49686, 80 MIT-GATEWAYSUS United States 13->63 65 18.165.185.177, 49685, 80 MIT-GATEWAYSUS United States 13->65 67 d2vtta4ibs40qt.cloudfront.net 13->67 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 13->87 89 Found suspicious powershell code related to unpacking or dynamic code loading 13->89 24 conhost.exe 13->24         started        69 192.168.2.1 unknown unknown 16->69 26 conhost.exe 16->26         started        28 conhost.exe 18->28         started        30 conhost.exe 18->30         started        file6 signatures7 process8 file9 45 C:\Users\user\AppData\...\pss5D81.tmp.ps1, Unicode 20->45 dropped 79 Bypasses PowerShell execution policy 20->79 32 powershell.exe 15 16 20->32         started        35 powershell.exe 2 13 20->35         started        37 powershell.exe 1 20->37         started        signatures10 process11 dnsIp12 55 d2vtta4ibs40qt.cloudfront.net 18.165.185.70, 49684, 49688, 49691 MIT-GATEWAYSUS United States 32->55 39 conhost.exe 32->39         started        57 18.165.185.156, 49687, 80 MIT-GATEWAYSUS United States 35->57 41 conhost.exe 35->41         started        43 conhost.exe 37->43         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d/
Threat name:
Binary.Adware.Blazer
Create hunting rule
Status:
Malicious
First seen:
2022-11-23 12:03:02 UTC
File Type:
Binary (Archive)
Extracted files:
89
AV detection:
6 of 38 (15.79%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dbtry2ghor7fbabpudisst6kvnigi2mr7kjgvw3g665frv2wrsgq._file
Verdict:
malicious
Similar samples:
46c71fa9cdfc8bb072a8739ce03a6e824b4cece53e149382f21e2d4640cf7838
998d5c7ff8df0cf90cdf5e48ebec08896f9549687366ffba9e4a9a55735f730f
9ee97b3eb9502065bfeb35df4525e4138027fc6f08a39efd7de5155e7e472f4d
bd330e0b19219332489e32cb870185225d030a118e23606eff6514fdc7ee1463
bf54ee0783e7263ae46a65fb773805b71a1c54ac956e066d23c980c978d145d9
dca50ad6e3a5e495a478ef86cdc92758572c43734f650394c5e304e9dac7a192
e6f2b1f02704ecee254593207a8e579912bc1b1785853905e39fa68f6e34234f
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230808-lh7fjadc4v/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18671c68c7747e50802fa0d1294fcaab50646991fa926adb66f7ba58d7568c8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_Scheduled_Tasks_Create_From_Susp_Dir
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects a PowerShell Script that creates a Scheduled Task that runs from an suspicious directory

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/441282/

Comments