MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 3


Intelligence 3 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584
SHA3-384 hash: c76f2ea2987155c340cda72b20cd298cb597fbee4fac814208f0614dd4aab200bb59b260c18b8d4ad19c1a0f58a355f6
SHA1 hash: 3ac57366fb0414fa801225850c56d476737929e1
MD5 hash: 15310593f9ea005fddbabe651f46e89b
humanhash: football-utah-pluto-stairway
File name:EV8-08266.msi
Download: download sample
File size:4'529'152 bytes
First seen:2021-07-20 17:52:25 UTC
Last seen:2021-07-20 18:35:24 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:vDe3ovdm2BjYEADVW+0ruCzpzpGy2zWMp:vbuVzNCz1ILWM
Threatray 73 similar samples on MalwareBazaar
TLSH T11C26021176D6C536D5BE05703A6ED76B107EBD200BB188EB23D81A2E1EB18C25732F67
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172876/
Detection(s):
PUA.Win.Adware.Dealply-6619266-0
Create hunting rule

MiscreantPunch.SingleXOR.EXE.251.UNOFFICIAL
Create hunting rule

MiscreantPunch.EvilMacro.PowerShellEnc.1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584
Details
Base64 Encoded Powershell Directives
Detected one or more base64 encoded Powershell directives.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/819138
Signature
Encrypted powershell cmdline option found
High number of junk calls founds (likely related to sandbox DOS / API hammering)
Machine Learning detection for dropped file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 451546 Sample: EV8-08266.msi Startdate: 20/07/2021 Architecture: WINDOWS Score: 52 21 Machine Learning detection for dropped file 2->21 23 Encrypted powershell cmdline option found 2->23 25 High number of junk calls founds (likely related to sandbox DOS / API hammering) 2->25 6 msiexec.exe 1 2->6         started        9 powershell.exe 13 2->9         started        11 System Services.exe 1 2->11         started        13 2 other processes 2->13 process3 file4 19 C:\Users\user\...\System Services.exe, PE32 6->19 dropped 15 conhost.exe 9->15         started        17 conhost.exe 11->17         started        process5
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584/
Verdict:
suspicious
Similar samples:
13241421d86807055664ccd771acbcffd378d52fbeb1a35b3106e4c2c5cc443a
21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129
27037adba1bbede3fb44bcc190a33134b020a8ebb48f39a16790c0c358ca94e5
533e5aced548178da1ba313246e0335fc73d228135ab56f40a1b4bc72fc0a134
766813a2d32e70dd895aa89f769d1db2e6acbb4107b3712775902da1ca6eff53
8cb6d0ac34d090ebf86cc3b0fb51dc57b89b2429627dd15170b29ee29d02ad08
9e2a79f4a93a4f337997bf6f5826dadfa703ee52cafd9303c926abb7024ce590
a00f40db9ba7257068bb17d72e399d6a6651c2d459dbe026537131ff9baef6eb
ca8eb4d83e1827e0fd86c260a60b1a9bb24876e15e1e0c55755d32314f308f4a
e9200c8a5ccb0bca2e40d3f618b056a552fbd7247396904a0d8ea70164fee886
+ 63 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence
Link:
https://tria.ge/reports/210720-kqwf54q31x/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Drops startup file
Loads dropped DLL
Drops file in Drivers directory
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172876/

Comments