MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2881e927ccaa147720f8cd55e757b9790cf43d5dd4e6c1b40076aad68adf8ddd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	2881e927ccaa147720f8cd55e757b9790cf43d5dd4e6c1b40076aad68adf8ddd
SHA3-384 hash:	f4671bd467f9b4668a222f802c3fadc30c254f54b147d778e1589f10258e2ea16757cd5584d8d029eb860c222831c6c7
SHA1 hash:	bf791986c838a6dc2448afe1d4bf2cb642855097
MD5 hash:	a640e9f4013882b009ee06055c24dd3c
humanhash:	illinois-december-three-avocado
File name:	NFTS.Iplace.Danfe04042022BRV2.msi
Download:	download sample
File size:	4'384'256 bytes
First seen:	2022-04-05 05:24:53 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	49152:Zxmxk7agBwuSfpOSIXBTCwV+vFe1f/fTBKyFp1jT2B+7/VGYSnA:640gsvIfTB9Fpd7VGYCA
Threatray	60 similar samples on MalwareBazaar
TLSH	T17B166E23B289653ED0AB1A3A49379758993F7B7239268C9B5BF40C4C8F355403B3E647
Reporter	abuse_ch
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

226

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/260795/

Detection(s):

PUA.Win.Packer.Exe-6

SecuriteInfo.com.RDMK.cmRtazpKxKzi0pVLtXUmAmezzdjf.17904.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe expand.exe remote.exe replace.exe update.exe

Link:

https://www.filescan.io/uploads/624bd2b4aa7e43c6a6ba6167/reports/3f6aaa3c-fc46-40ac-aabb-f0513279c103/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/2881e927ccaa147720f8cd55e757b9790cf43d5dd4e6c1b40076aad68adf8ddd

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/970565

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2881e927ccaa147720f8cd55e757b9790cf43d5dd4e6c1b40076aad68adf8ddd/

Threat name:

Win32.Downloader.BanLoad

Status:

Malicious

First seen:

2022-04-04 16:27:28 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

12 of 42 (28.57%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fca6sj6mvikhoihyzvk6ov5zpegpipk52ttmdnaao2vnncw7rxoq._file

Verdict:

malicious

567b0a40989beda8bbd1c3caddfd2b05cf61ea297f3b38574bcd80aa16688bef

5aa9861dcb5890caaadd311b1eed80e2ae65bd0d46937cc3bdee4757da908fc6

891d54ababfd4644f67eb15242e762416104fcabb59c356dbd0fbb0b511c4c51

9d54914ae3ca258abbdbbd3d4f1f92b7b1c557394a2f94aca31e4b12de2150a9

a2e18e25d0cf1c5b3c6315b99e59766279b3be154fc420f8f8f11fb66d0cf7e4

c36ba30da09d58e21e68b31b5add9f6dd61b6783f630e5626f5cb45f34b9a46e

ce098e5045ee25cc93a219f3bbd1bcd3bcf949bcf09560ee898996c9753c0996

d909f32b25a8b087ef92e19337471af42b25c364510174e3a2e58bd3147b7f7e

e0c49d3b67bfe6ef62f596aa605ec73da7965babb6052ab21cf66135635d3b9f

+ 50 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

n/a

Link:

https://tria.ge/reports/220405-f4ae2ahhd2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/2881e927ccaa147720f8cd55e757b9790cf43d5dd4e6c1b40076aad68adf8ddd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/260795/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample