MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d691141c98d6dca6555aaf9b555cbcebf907032ea4b63ecaff9b1622866372e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Grandoreiro


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments 1

SHA256 hash: 2d691141c98d6dca6555aaf9b555cbcebf907032ea4b63ecaff9b1622866372e
SHA3-384 hash: adb56ab08c64a9c6d8bb8caec11ad31eb97f11d15ef5abd2125f8fb19baeb078e11e2d405e83d10e83009f2436244719
SHA1 hash: 13cc43596819e2b2b300c5b5a87ebdecee1243ed
MD5 hash: 56624e39a8c5514dd9175ed9d2d1c227
humanhash: winter-massachusetts-fifteen-spring
File name:id 0992343443.msi (1).zip
Download: download sample
Signature Grandoreiro
File size:514'812 bytes
First seen:2023-03-29 17:40:16 UTC
Last seen:Never
File type: zip
MIME type:application/zip
Note:This file is a password protected archive. The password is: infected
ssdeep 12288:1S5O59AI4HQlP1mWCoDFDhc6xVYQzR5mMxK7+D5DZ3:1S5e9yHQlP1mWFJDhcgYQzR5u+Dr
TLSH T1D5B42306D96B7C91B23053F9D84654E9859FF2E0D72C11ECCFB67B0BEA28719913E802
TrID 80.0% (.ZIP) ZIP compressed archive (4000/1)
20.0% (.PG/BIN) PrintFox/Pagefox bitmap (640x800) (1000/1)
Reporter Anonymous
Tags:BRA geo Grandoreiro zip

Intelligence


File Origin
# of uploads :
1
# of downloads :
126
Origin country :
US US
File Archive Information

This file archive contains 1 file(s), sorted by their relevance:

File name:id 0992343443.msi
File size:1'363'456 bytes
SHA256 hash: 1a93035ec26ca56b077e4fbd2a5451ad2aaca06d94e3949b9d188656b776416f
MD5 hash: 1de99122186e4d98aef5c3e3ff08d69b
MIME type:application/x-msi
Signature Grandoreiro
Vendor Threat Intelligence
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
83%
Tags:
shell32.dll
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Behaviour
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments



Avatar
Michael commented on 2023-03-29 22:36:55 UTC

Under delivery method, can we be clear on whether the .zip was in an attachment, or reached via a bad link in the email, eg https://cld.pt/dl/download/d3e46ddb-cfef-4d0c-be14-3c95a5569ad1/Ntfisc.Online_TLLK_23022023C1702202324435452544555.zip?download=true, (That link is now 404) Trying to confirm it's the same run.. Sender style, <notafiscal2704523201967110@dseyasociados.com.mx>, Body tag "NFE Apple do Clientebilling"