MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72
SHA3-384 hash: 37d3782833c1a9b29b25029a77680a01c74783fd437c3aa1c96ecfb4a88caac5a5a7ae9927a753886b4ba390f9664a5d
SHA1 hash: f21cf2679aa8ffebf5112e9564516d94b2bd224a
MD5 hash: 67746327877c56ce8789a3bc6e608ccb
humanhash: hot-echo-magazine-july
File name:F21CF2679AA8FFEBF5112E9564516D94B2BD224A.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:11'206'656 bytes
First seen:2022-06-01 13:17:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:ARGCGMD6kQzw62dNfW0p2TZ+aLZ/NBzudDYMUZ1KWDs0DY7JL:thY2wbdNfW0p2V31/qdDWZIHd
Threatray 25 similar samples on MalwareBazaar
TLSH T1F4B68100BC2EE6DBDA07A7BA54D44AD37E559CDCA370A41B23743BC4E7366E111E6E02
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
397
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276087/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Magni.jc.14784.13221.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1005069
Signature
Creates a thread in another existing process (thread injection)
Deletes shadow drive data (may be related to ransomware)
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637643 Sample: eD4BCD0N3A.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 80 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 86 Deletes shadow drive data (may be related to ransomware) 2->86 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 74 C:\Windows\Installer\MSI5587.tmp, PE32+ 10->74 dropped 15 msiexec.exe 10->15         started        process5 signatures6 90 Hijacks the control flow in another process 15->90 92 Injects code into the Windows Explorer (explorer.exe) 15->92 94 Writes to foreign memory regions 15->94 96 Creates a thread in another existing process (thread injection) 15->96 18 sihost.exe 4 15->18 injected 22 svchost.exe 2 15->22 injected 24 svchost.exe 15->24 injected 27 3 other processes 15->27 process7 dnsIp8 68 C:\Users\user\Desktop\PALRGUCVEH.docx, data 18->68 dropped 70 C:\Users\user\Desktop\...\DUUDTUBZFW.docx, data 18->70 dropped 72 C:\Users\user\Desktop\DUUDTUBZFW.docx, data 18->72 dropped 88 Modifies existing user documents (likely ransomware behavior) 18->88 29 cmd.exe 2 22->29         started        31 cmd.exe 22->31         started        33 svchost.exe 1 1 22->33         started        36 regsvr32.exe 2 22->36         started        80 23.203.67.116, 443, 49689 AKAMAI-ASUS United States 24->80 38 cmd.exe 24->38         started        40 cmd.exe 24->40         started        42 regsvr32.exe 24->42         started        44 cmd.exe 27->44         started        46 2 other processes 27->46 file9 signatures10 process11 dnsIp12 48 fodhelper.exe 12 29->48         started        50 conhost.exe 29->50         started        58 2 other processes 29->58 52 conhost.exe 31->52         started        60 3 other processes 31->60 76 127.0.0.1 unknown unknown 33->76 54 conhost.exe 38->54         started        62 3 other processes 38->62 64 3 other processes 40->64 56 conhost.exe 44->56         started        78 192.168.2.1 unknown unknown 46->78 process13 process14 66 regsvr32.exe 48->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72/
Threat name:
Win64.Ransomware.Magni
Create hunting rule
Status:
Malicious
First seen:
2022-06-01 11:36:44 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvtnivg2pshl3bupjdnbfw3ma46aldu7q3cpbzkstqbvr6xmtrza._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef
Magniber
724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
d1d4e29f5fca0c97cd89a4b5134d298bf2829cea92e5d116084b83d980d2c6e0
Magniber
e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
Magniber
e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32
Magniber
ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d
Magniber
fb38ca9105614973ddaabc6ce76068be002a4b69a9f801e2cc5b962f84ffab7b
Magniber
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220601-qje5wsghd2/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/2d66d454da7c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276087/

Comments