MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18e57acc198a3afad96f6fff17a0cc538da02afcba38036dda6cf1b8902efd2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18e57acc198a3afad96f6fff17a0cc538da02afcba38036dda6cf1b8902efd2b
SHA3-384 hash: 6bd96cb8e284ae6e69e20a2e29a0823e4725f255315a0b9aacbc7eb6c884bc208df6ca309cf4b36028146b3e077648d0
SHA1 hash: c1efd25f69b6784596bae1d4b51154a91f887834
MD5 hash: 3aa473d7ce55eb5e5c0da9e81ccfc051
humanhash: blue-autumn-blossom-nebraska
File name:COMPROBANTE-ELECTRONICO-PAGO-CEP-41136d968a589ee7f4bf39cd15d31bd8e9fc.msi
Download: download sample
File size:6'368'768 bytes
First seen:2022-10-11 21:07:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:uJaZD+w6603bX9Q+tBq8K7MY3sW+kycKb:uMn66gbNQX3lcW+knKb
Threatray 1'536 similar samples on MalwareBazaar
TLSH T162561223B2D74112C1AD057BE91AFE8E25B97E63472150F7BAF539CF14B08D0B276A42
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter malwarelabnet
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/319060/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
mekotio packed packed shell32.dll
Link:
https://www.filescan.io/uploads/6345db34aab5b3e31a6a908e/reports/3a117763-7ad5-4fb3-9601-319044f84138/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/18e57acc198a3afad96f6fff17a0cc538da02afcba38036dda6cf1b8902efd2b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1088345
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
May check the online IP address of the machine
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample or dropped binary is a compiled AutoHotkey binary
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 720938 Sample: COMPROBANTE-ELECTRONICO-PAG... Startdate: 11/10/2022 Architecture: WINDOWS Score: 92 53 Antivirus detection for dropped file 2->53 55 Machine Learning detection for dropped file 2->55 57 PE file contains section with special chars 2->57 7 msiexec.exe 12 34 2->7         started        10 cmd.exe 1 2->10         started        12 cmd.exe 2->12         started        14 msiexec.exe 2 2->14         started        process3 file4 39 C:\Windows\Installer\MSI3CFA.tmp, PE32 7->39 dropped 41 C:\Windows\Installer\MSI3AA6.tmp, PE32 7->41 dropped 43 C:\Windows\Installer\MSI39DA.tmp, PE32 7->43 dropped 45 2 other malicious files 7->45 dropped 16 msiexec.exe 1 5 7->16         started        21 conhost.exe 10->21         started        23 gmL.T.exe 10->23         started        25 conhost.exe 12->25         started        27 gmL.T.exe 12->27         started        process5 dnsIp6 47 138.201.149.48, 3077, 49698 HETZNER-ASDE Germany 16->47 33 C:\Users\user\...\i59014i8n7758te70psss, PE32 16->33 dropped 35 C:\Users\user\AppData\...\gmL.T.exe (copy), PE32 16->35 dropped 37 C:\Users\user\AppData\...\exazdotuiz.qqe, PE32 16->37 dropped 59 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 16->59 61 Overwrites code with function prologues 16->61 29 gmL.T.exe 6 14 16->29         started        file7 signatures8 process9 dnsIp10 49 zautoservice.eu 137.74.179.200 OVHFR France 29->49 51 ipinfo.io 34.117.59.81 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 29->51 63 Query firmware table information (likely to detect VMs) 29->63 65 May check the online IP address of the machine 29->65 67 Tries to detect sandboxes and other dynamic analysis tools (window names) 29->67 69 4 other signatures 29->69 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/18e57acc198a3afad96f6fff17a0cc538da02afcba38036dda6cf1b8902efd2b/
Threat name:
Win32.Trojan.DllHijack
Create hunting rule
Status:
Malicious
First seen:
2022-10-10 14:58:51 UTC
File Type:
Binary (Archive)
Extracted files:
81
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddsxvtazri5pvwlpn77rpigmkog2akx4xi4ag3o2nty3rebo7uvq._file
Verdict:
unknown
Similar samples:
0097e775b3ed33d109e970472d5f8fd5d76caa2d28e42419bc2c8154033649af
0116480aba22121dfc6ea109e8f4e8cb09298c9fd15311a81c81bd1f8326c7bd
279ce901888969ce890380cbc2f88ec59529b2b722627015523fb1a054762592
27b5e52c0c575a9d1a1e460ee54fc4f411fd5783b886854d332253c4ff80c51e
34066150ffa7efa505b8d2246925cd8a32f83b9609438ae76aa27cef7388054d
5e1a5d98c60dc028f161a81f4b00e4e0a33ccaae0788ad61700a14e17e3f9e98
7321a205de31cb4c93f10a090316502922d9083dfc076c93903377f36ada3aca
cae8d5b0c88720750b5e60f76911971d31b4287678d50bdd64297291a0e221b5
cfa9c1d8b0ea8b947b89c01c9cbb87a70161a528337e5af00e855a70d350f22e
ffb318a5fd569396377f80259fb3b2ff02ef492efa1922ccbdd1bcdf1f43c162
+ 1'526 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/221011-zyv94aeed5/
Behaviour
Modifies Internet Explorer settings
Script User-Agent
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Looks up external IP address via web service
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/18e57acc198a/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/18e57acc198a3afad96f6fff17a0cc538da02afcba38036dda6cf1b8902efd2b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/319060/

Comments