MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a
SHA3-384 hash: dabda6476817f10f0fa0a30ba49c3ef3acefd317fa268a87e26444d335a44fdee0b8c635dc77ae4495b3ff695d81f642
SHA1 hash: 1df3d05c9847f7efc3dad5b8d31c48cff0ee69e2
MD5 hash: 0a4f0faa78975c74260efbd859ac6282
humanhash: friend-hydrogen-friend-emma
File name:FromEnergyBadx64.msi
Download: download sample
File size:2'596'864 bytes
First seen:2023-08-21 07:59:58 UTC
Last seen:2023-08-21 11:43:17 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:qVcMDa1y97n0d33BL8oeQjq6owuLpvKjjIcc5xPlBb7/nSej8ARI43AHsHoQD2w:Eckaod0dBL8Gq6owJIjbI43hR
TLSH T119C51206FAE45137E66762341E204661836EAD740B3581F9FE1C76A99FB0E40CEBB713
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter JAMESWT_WT
Tags:83-217-9-18 msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
IT IT
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/443920/
Detection(s):
SecuriteInfo.com.Trojan.Loader.777.24302.31789.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Malicious
Labled as:
TR/Loader.ttggl
Link:
https://www.hybrid-analysis.com/sample/2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/1294363
Signature
Contains functionality to modify clipboard data
Found evasive API chain checking for user administrative privileges
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1294363 Sample: FromEnergyBadx64.msi Startdate: 21/08/2023 Architecture: WINDOWS Score: 64 86 Multi AV Scanner detection for submitted file 2->86 88 Contains functionality to modify clipboard data 2->88 90 Found evasive API chain checking for user administrative privileges 2->90 8 msiexec.exe 81 43 2->8         started        11 msiexec.exe 4 2->11         started        process3 file4 54 C:\Users\user\AppData\...\ChromeSetup.exe, PE32 8->54 dropped 56 C:\Windows\Installer\MSID1C.tmp, PE32 8->56 dropped 58 C:\Windows\Installer\MSI637D.tmp, PE32 8->58 dropped 62 2 other files (none is malicious) 8->62 dropped 13 ChromeSetup.exe 74 8->13         started        17 msiexec.exe 8->17         started        19 msiexec.exe 11 8->19         started        60 C:\Users\user\AppData\...\WixSharp.UI.CA.dll, PE32 11->60 dropped process5 file6 64 C:\Program Files (x86)\...\psuser_64.dll, PE32+ 13->64 dropped 66 C:\Program Files (x86)behaviorgraphoogle\...\psuser.dll, PE32 13->66 dropped 68 C:\Program Files (x86)\...\psmachine_64.dll, PE32+ 13->68 dropped 76 65 other files (none is malicious) 13->76 dropped 92 Found evasive API chain checking for user administrative privileges 13->92 21 GoogleUpdate.exe 5 72 13->21         started        24 rundll32.exe 8 17->24         started        26 rundll32.exe 7 17->26         started        28 rundll32.exe 8 17->28         started        30 rundll32.exe 7 17->30         started        70 C:\Users\user\AppData\Local\...\WixSharp.dll, PE32 19->70 dropped 72 C:\Users\user\AppData\...\WixSharp.UI.dll, PE32 19->72 dropped 74 Microsoft.Deployme...indowsInstaller.dll, PE32 19->74 dropped 78 2 other files (none is malicious) 19->78 dropped signatures7 process8 file9 46 69 other files (none is malicious) 21->46 dropped 48 4 other files (none is malicious) 24->48 dropped 32 wscript.exe 3 24->32         started        50 4 other files (none is malicious) 26->50 dropped 36 C:\Windows\Installer\...\WixSharp.dll, PE32 28->36 dropped 38 C:\Windows\Installer\...\WixSharp.UI.dll, PE32 28->38 dropped 40 Microsoft.Deployme...indowsInstaller.dll, PE32 28->40 dropped 42 C:\Windows\Installer\...\MSIBuilder.exe, PE32 28->42 dropped 44 C:\Windows\Installer\...\WixSharp.dll, PE32 30->44 dropped 52 3 other files (none is malicious) 30->52 dropped process10 dnsIp11 80 45.159.249.119, 443, 49753, 49754 VMAGE-ASRU Russian Federation 32->80 82 45.150.108.200, 443, 49756, 49757 SELECTELRU Russian Federation 32->82 84 System process connects to network (likely due to code injection or exploit) 32->84 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a/
Threat name:
Win32.Trojan.Netloader
Create hunting rule
Status:
Malicious
First seen:
2023-08-11 14:24:26 UTC
File Type:
Binary (Archive)
Extracted files:
102
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fyhqsoxmfw2domhcxhsq4akww73j7hzq663ujet63fppu74e5qva._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware stealer
Link:
https://tria.ge/reports/230821-jvzkcabf56/
Behaviour
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
Blocklisted process makes network request
Downloads MZ/PE file
Modifies Installed Components in the registry
Sets file execution options in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 2e0f093aec2db43730e2b9e50e0156b7f69f9f30f7b744927ed95efa7f84ec2a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/443920/
  
URLhaus
https://urlhaus.abuse.ch/url/2705868/
  
Delivery method
Distributed via web download

Comments