MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
SHA3-384 hash: 2ddf7672b8baf5802f47c93c0f8b329908490b663ff32c13d0fad4949b3a14886c8e3b3ef0d0029329a1d3c5ecde8098
SHA1 hash: 7918560e24dd4de8cc5a09d85da610d89efd15a6
MD5 hash: 804a3a7aa4cd139788eab95510817fa7
humanhash: missouri-island-stream-yankee
File name:TF.msi
Download: download sample
File size:1'452'544 bytes
First seen:2022-03-09 09:14:27 UTC
Last seen:2022-03-09 10:46:21 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:im1yyzQyz5io+HExGWUAyiqZfBqnGIQ5M6DLrVVdWXAN3IqMXSpS2SDTQuV+vJFj:im1rz5io+HGGWxyzVlrXVVdWXAN3I1X4
Threatray 88 similar samples on MalwareBazaar
TLSH T172659E1136D6C436D5BE01703E2ED76B156EBE200BB188EB63D81E2E1EB15C25632F67
Reporter pr0xylife
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
166
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/248563/
Detection(s):
SecuriteInfo.com.Trojan.OLE2.Alien.gen.32339.671.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/6228701c0cd58dbd926d77d4/reports/db48cb92-b71c-46f5-bd01-4691b41430b8/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/953170
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to register a low level keyboard hook
Detected unpacking (creates a PE file in dynamic memory)
Drops executables to the windows directory (C:\Windows) and starts them
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 585651 Sample: TF.msi Startdate: 09/03/2022 Architecture: WINDOWS Score: 64 57 Detected unpacking (creates a PE file in dynamic memory) 2->57 59 Connects to a pastebin service (likely for C&C) 2->59 61 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->61 63 Contains functionality to register a low level keyboard hook 2->63 7 msiexec.exe 12 37 2->7         started        11 Cilica.exe 3 1 2->11         started        14 Cilica.exe 2->14         started        16 2 other processes 2->16 process3 dnsIp4 33 C:\Windows\Installer\MSI820.tmp, PE32 7->33 dropped 35 C:\Windows\Installer\MSIF5BE.tmp, PE32 7->35 dropped 37 C:\Windows\Installer\MSIE785.tmp, PE32 7->37 dropped 39 6 other files (none is malicious) 7->39 dropped 65 Drops executables to the windows directory (C:\Windows) and starts them 7->65 18 msiexec.exe 2 21 7->18         started        22 MSI820.tmp 7->22         started        51 www.google.com 172.217.18.100, 443, 49767, 49775 GOOGLEUS United States 11->51 53 pastebin.com 104.23.99.190, 443, 49768, 49779 CLOUDFLARENETUS United States 11->53 24 iexplore.exe 2 49 11->24         started        55 104.23.98.190, 443, 49776 CLOUDFLARENETUS United States 14->55 file5 signatures6 process7 dnsIp8 41 stomsnew.b-cdn.net 89.187.165.193, 443, 49766 CDN77GB Czech Republic 18->41 29 C:\Users\user\AppData\Roaming\...\Cilica.exe, PE32 18->29 dropped 31 C:\Users\user\AppData\Roaming\...\DBGENG.dll, PE32 18->31 dropped 43 bit.ly 24->43 26 iexplore.exe 1 32 24->26         started        file9 process10 dnsIp11 45 bit.ly 67.199.248.10, 443, 49771, 49772 GOOGLE-PRIVATE-CLOUDUS United States 26->45 47 prod.pinterest.global.map.fastly.net 151.101.0.84, 443, 49773, 49774 FASTLYUS United States 26->47 49 3 other IPs or domains 26->49
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-03-09 04:28:10 UTC
File Type:
Binary (Archive)
Extracted files:
55
AV detection:
6 of 42 (14.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129
2543ac05144ac1ec1bb2343b08d145c56b8603d5e00d30170d4fc57b15f1f7ce
30afc413ee7f9e665191e954a8eb44d38b6a09737ad6ae05c2d25a89251ea6cb
3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239
368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a
555e46f781c185be727d34be3664c708f7f0c5334195c542894b11187551fb0a
8eb328c62600f7bfc8927f17edbebe5f2d556b305d1c872c155c468f67788ca5
9785703d9291d9947e6a79e831cf475afc26577d0b365685c4ab8b3c5f246d6c
c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4
df2853a1bc08e8f9ee97a33a001e84597e85d5834c540d846dce4d4f8183bddd
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220309-k7xf7afhg5/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_blacksoul_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.blacksoul.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/248563/

Comments