MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e
SHA3-384 hash: 7f5172cdf91c3df515b21417dda796ac895b409248bcbee9424031afac42ee8973e374cc2e4581b764bf564eff1a3b6e
SHA1 hash: f82b702ff772c471a70b49ea36d3c253a216f49c
MD5 hash: d71c2a21f80533fbdefb092982bdf0ff
humanhash: whiskey-oven-six-sink
File name:SFILEMBDOWN_D2zAJuzTqcTMUUGJaN802V5EQErviowPq558®xrlsk.msi
Download: download sample
File size:1'375'744 bytes
First seen:2023-07-09 13:11:17 UTC
Last seen:2023-07-09 16:31:35 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:L3rx/NnYlVcW7LIJ1MXCOJ05YbswFbE2d7xLZrudqA:L3PnYAqbCOJ05Yb59lzLZrudqA
Threatray 4 similar samples on MalwareBazaar
TLSH T1CC559E3133C6C633C9AE01B01A2ADB5B51A9FDA20B3594CBA3D86D2F9DB44C19635F53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter FXOLabs
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/412821/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.12659.996.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1270772
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Contain functionality to detect virtual machines
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses shutdown.exe to shutdown or reboot the system
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1270772 Sample: SFILEMBDOWN_D2zAJuzTqcTMUUG... Startdate: 11/07/2023 Architecture: WINDOWS Score: 100 61 Antivirus detection for dropped file 2->61 63 Multi AV Scanner detection for dropped file 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 5 other signatures 2->67 7 cmd.exe 1 2->7         started        10 msiexec.exe 13 34 2->10         started        13 MsSpellCheckingFacility5507  .exe 1 6 2->13         started        16 2 other processes 2->16 process3 dnsIp4 73 Suspicious powershell command line found 7->73 75 Bypasses PowerShell execution policy 7->75 18 powershell.exe 26 28 7->18         started        23 conhost.exe 7->23         started        25 cmd.exe 1 7->25         started        49 C:\Windows\Installer\MSI200B.tmp, PE32 10->49 dropped 51 C:\Windows\Installer\MSI1E71.tmp, PE32 10->51 dropped 53 C:\Windows\Installer\MSI1E41.tmp, PE32 10->53 dropped 55 2 other malicious files 10->55 dropped 77 Drops executables to the windows directory (C:\Windows) and starts them 10->77 27 msiexec.exe 10->27         started        29 MSI200B.tmp 10->29         started        59 starlike.reiclagemltda.com 142.93.100.140, 443, 49687 DIGITALOCEAN-ASNUS United States 13->59 79 Query firmware table information (likely to detect VMs) 13->79 81 Hides threads from debuggers 13->81 83 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->83 31 explorer.exe 13->31 injected 33 tliUwwvmOwNxPFs.exe 13->33 injected 35 tliUwwvmOwNxPFs.exe 13->35 injected 37 20 other processes 13->37 file5 signatures6 process7 dnsIp8 57 renderizepro.gtsoma.com 173.82.240.229, 443, 49685, 49686 MULTA-ASN1US United States 18->57 41 C:\Users\user\...\Thunderbo.dll (copy), PE32 18->41 dropped 43 MsSpellCheckingFacility5507...exe (copy), PE32 18->43 dropped 45 C:\Users\user\AppData\Roaming\...\03, PE32 18->45 dropped 47 C:\Users\user\AppData\Roaming\...\01, PE32 18->47 dropped 69 Uses shutdown.exe to shutdown or reboot the system 18->69 71 Powershell drops PE file 18->71 39 shutdown.exe 1 18->39         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e/
Threat name:
Script-BAT.Trojan.Batfuscator
Create hunting rule
Status:
Malicious
First seen:
2023-07-09 07:16:22 UTC
File Type:
Binary (Archive)
Extracted files:
79
AV detection:
12 of 37 (32.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e3bjeoj7tcx3i7mc2t7naf3tzcrcquxmoxezjvbpjucrncmfespa._file
Verdict:
unknown
Similar samples:
7166dcc58ddaaa984ca15df83285a659443502c608c2290f3b4578b407e87d22
77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
8a5a24a29f6dd98600724e6e19abf0ee2be65260233fabdcf35a01c61b981f11
ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230709-qfg53sdg4v/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Microsoft Software Installer (MSI) msi 26c292393f98afb47d82d4fed01773c8a22852ec75c994d42f4d05168985249e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/412821/

Comments