MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bf8e8b1a981f85a4c8db03dca2f87413584c628e7dd012e2538c44a7fe8b423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2bf8e8b1a981f85a4c8db03dca2f87413584c628e7dd012e2538c44a7fe8b423
SHA3-384 hash: a0496440ede56e117ac5d363ac41591e65a6a50716af9f5280a7f5351fd716255c0b38323bc2f45b1544f47bc6c04c8d
SHA1 hash: 0b0c4e0bb58f08a6b2d03de9c29d02189bc61849
MD5 hash: 857f587c86836d69e11057dae22c793e
humanhash: ack-kansas-florida-moon
File name:NotaFiscal.msi
Download: download sample
File size:559'104 bytes
First seen:2022-09-11 14:11:23 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:6U3xdcYnYrDow+ZsrLg3bmfKlGzIqSqYf+SAOfVKE/M5TiyXfA7APNa:6UBSYYowv43bqKlRHJVa9iyXfA7UN
Threatray 175 similar samples on MalwareBazaar
TLSH T124C49E2172DACA37C57E06B0261EC79756697D644BF2C4EB13C86E1E1DB39C05232EE2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
264
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/309321/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.61969899.2337.11610.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/631decbf1d4a849311e5b7af/reports/b51d6dfa-5937-4fe9-8405-90f0ac069271/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2bf8e8b1a981f85a4c8db03dca2f87413584c628e7dd012e2538c44a7fe8b423
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1068478
Signature
Hides threads from debuggers
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 701010 Sample: NotaFiscal.msi Startdate: 11/09/2022 Architecture: WINDOWS Score: 96 47 Snort IDS alert for network traffic 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 2 other signatures 2->53 7 msiexec.exe 83 34 2->7         started        10 O2y0iwow5L3dgtLophd2.exe 2->10         started        13 O2y0iwow5L3dgtLophd2.exe 2->13         started        15 msiexec.exe 2 2->15         started        process3 file4 33 C:\Windows\Installer\MSIAC50.tmp, PE32 7->33 dropped 35 C:\Windows\Installer\MSIAAE8.tmp, PE32 7->35 dropped 37 C:\Windows\Installer\MSIA9BE.tmp, PE32 7->37 dropped 39 C:\Windows\Installer\MSIA4DB.tmp, PE32 7->39 dropped 17 msiexec.exe 3 21 7->17         started        63 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->63 65 Query firmware table information (likely to detect VMs) 10->65 67 Hides threads from debuggers 10->67 signatures5 process6 dnsIp7 41 www.featherlitefurniture.com 45.118.134.118, 443, 49708, 49709 LINODE-APLinodeLLCUS Japan 17->41 25 C:\Users\Public\...\O2y0iwow5L3dgtLophd2.exe, PE32 17->25 dropped 27 C:\Users\user\AppData\Local\...\aspack[1].dll, PE32 17->27 dropped 29 C:\Users\user\AppData\...\MxStart[1].exe, PE32 17->29 dropped 31 3 other files (none is malicious) 17->31 dropped 21 O2y0iwow5L3dgtLophd2.exe 2 3 17->21         started        file8 process9 dnsIp10 43 ip-api.com 208.95.112.1, 49719, 80 TUT-ASUS United States 21->43 45 f0717271.xsph.ru 141.8.192.151, 49720, 80 SPRINTHOSTRU Russian Federation 21->45 55 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 21->55 57 Query firmware table information (likely to detect VMs) 21->57 59 May check the online IP address of the machine 21->59 61 3 other signatures 21->61 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2bf8e8b1a981f85a4c8db03dca2f87413584c628e7dd012e2538c44a7fe8b423/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-09-10 01:29:49 UTC
File Type:
Binary (Archive)
Extracted files:
49
AV detection:
7 of 40 (17.50%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fp4ormnjqh4futenwa64ul4hie2yjrri47oqclrfhdceu77iwqrq._file
Verdict:
malicious
Similar samples:
27ec567e09d46bc9cf86e4ba699c893832403a698e414ced8b9af680c67cec2f
333daa7da050f7c0c38d56bf0b42e1b2702715cb87fa462457ce4d89b340d0fe
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
5776a39f94a0e774c8c269b7ff19a977af24a0770ff72615b1972f2150e6e49f
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
c49dddadfb953435eb767641e18084eaed9d2784e0c7eaf8c9234bd48ad97366
c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff
d95edec180d7c2ea69585c2e2fe6f7d30421fe0974b38afdc88a4ba756514cd6
fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e
+ 165 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220911-rht34afeap/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2bf8e8b1a981/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2bf8e8b1a981f85a4c8db03dca2f87413584c628e7dd012e2538c44a7fe8b423

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/309321/

Comments