MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ec3f1ae0b59152d86277d6ed5041cf39e5ddbfca31bddbcbe2ca33862e51252. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ec3f1ae0b59152d86277d6ed5041cf39e5ddbfca31bddbcbe2ca33862e51252
SHA3-384 hash: f7327dfd00809680c0a0a23e3143c99d2ce4cea8ab9bc4637059dc77561f58dacd7be93a777972811046edb827ca90e6
SHA1 hash: 80c37f015c51788ffed3888b7cee0db6d198285d
MD5 hash: 7329b9679b71bede54488583aa517853
humanhash: uranus-mirror-eleven-solar
File name:7329b9679b71bede54488583aa517853.msi
Download: download sample
File size:3'090'944 bytes
First seen:2021-11-18 08:53:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:5axb1Y5AYRFtk1F2dRj45Zize1bpQ0LrUSw9C8gTJq/19n+s9RFz+p:Eb1Y5ACtW8dRj4JlnvizR1Ys9RFz+
Threatray 10 similar samples on MalwareBazaar
TLSH T168E52307B6C74B3AC4AE0A31A69BC3368166BC705561C41B639D5B1D2EF36A4B3E33D1
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/207131/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/619614ae43e8f62b6698728a/reports/32d802a2-ea1d-4c40-b455-47600eb9690d/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/1ec3f1ae0b59152d86277d6ed5041cf39e5ddbfca31bddbcbe2ca33862e51252
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/891786
Signature
Detected VMProtect packer
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 524259 Sample: H1MsAU2aiZ.msi Startdate: 18/11/2021 Architecture: WINDOWS Score: 72 51 youtube-ui.l.google.com 2->51 53 www.youtube-nocookie.com 2->53 55 10 other IPs or domains 2->55 71 Multi AV Scanner detection for submitted file 2->71 73 Sigma detected: Add file from suspicious location to autostart registry 2->73 75 Detected VMProtect packer 2->75 77 3 other signatures 2->77 10 msiexec.exe 3 13 2->10         started        13 msiexec.exe 3 2->13         started        signatures3 process4 file5 47 C:\Windows\Installer\MSIED77.tmp, PE32 10->47 dropped 49 C:\Windows\Installer\MSI1E44.tmp, PE32 10->49 dropped 15 msiexec.exe 4 35 10->15         started        process6 dnsIp7 67 daniman.duckdns.org 52.161.72.254, 49758, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 15->67 69 192.168.2.1 unknown unknown 15->69 39 xi..cLb...Lavasoft.Assistant.exe (copy), PE32 15->39 dropped 41 C:\Users\user\AppData\Local\...\pidgin.dll, PE32 15->41 dropped 43 C:\Users\user\AppData\Local\...\libxml2-2.dll, PE32 15->43 dropped 45 26 other files (none is malicious) 15->45 dropped 19 cmd.exe 13 15->19         started        21 cmd.exe 1 15->21         started        23 xi  cLb  .Lavasoft.Assistant.exe 15->23         started        file8 process9 process10 25 chrome.exe 15 252 19->25         started        28 conhost.exe 19->28         started        30 reg.exe 1 1 21->30         started        32 conhost.exe 21->32         started        dnsIp11 63 192.168.2.4, 443, 49694, 49695 unknown unknown 25->63 65 239.255.255.250 unknown Reserved 25->65 34 chrome.exe 36 25->34         started        37 conhost.exe 30->37         started        process12 dnsIp13 57 googlehosted.l.googleusercontent.com 142.250.181.225, 443, 49907 GOOGLEUS United States 34->57 59 clients.l.google.com 142.250.181.238, 443, 49759, 49869 GOOGLEUS United States 34->59 61 30 other IPs or domains 34->61
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1ec3f1ae0b59152d86277d6ed5041cf39e5ddbfca31bddbcbe2ca33862e51252/
Threat name:
Win32.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2021-11-18 08:54:04 UTC
AV detection:
7 of 44 (15.91%)
Threat level:
  3/5
Verdict:
malicious
Similar samples:
1273c78b4f196fc982cb1e9b7abe9d2b5c4f10c5486e7a891615bb273fef419d
2ace0be70434934b6e140f679a0c1551dd589abedfb1f6abeb5ceffaf0a1b9d9
35e4927ea02978e01bee3917c5c2c92d46308473bf3eaf4ef1d4d3c0eb0a0d4f
5940fd97a28d3ee232155231fe70af70be462aa144d0b625470fe46a01a3bd1b
6285cf98c96fdfa826a2d5e4de045bb84dfc7e05d21b561c54a5b63ad2c298e1
861f5a47b316a7668eedc2c5b7f7780406735223bd41a2a29f5df29331f7e51f
a5c940653c3b19cacd1378f2081feb377f2791257fbef36cd64df3a0b1b7d4b4
bacbcfb421611b561d70543f99b77f0d4218689bd66c8160221feba6abc4b58f
d313b7347a232a473d2a7877258ab8cd040e0c2919cb51f3d9f4b60aaefef387
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211118-ktw89sfbc5/
Behaviour
Modifies Internet Explorer settings
Modifies registry class
Modifies registry key
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Checks computer location settings
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1ec3f1ae0b59152d86277d6ed5041cf39e5ddbfca31bddbcbe2ca33862e51252

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/207131/

Comments