MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167
SHA3-384 hash: 2a6c22a164e60a66f84c5ee6e844ff631f84263eb3189bcf5d3f2d5053f786143af599617e414c2aaaf6c43b57de2429
SHA1 hash: 27a9268eb2a3046a3fb2d65b5ab4ec4b310fbb61
MD5 hash: 83ac0d9a37ebf6e54934790466acf908
humanhash: foxtrot-alaska-connecticut-oven
File name:NOT110923.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:541'184 bytes
First seen:2023-09-14 15:13:52 UTC
Last seen:2023-09-15 10:56:22 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:fGk8sY5AITqp4nbIrKPzfGXSjptsrYI21wlD:fGk8sY5Azp4bIpXSjp2b
Threatray 282 similar samples on MalwareBazaar
TLSH T1BCB4E007B2D54B77E4D70372179B93628F72EC348762812B1299750E2EF16A4B7A33E1
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
102
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448669/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/6503233ff880d6610caecbaf/reports/6aa87de7-fdb0-4112-853e-2a1d371379f7/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/1308054
Signature
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308054 Sample: NOT110923.msi Startdate: 14/09/2023 Architecture: WINDOWS Score: 60 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: Drops script at startup location 2->36 7 cmd.exe 1 2->7         started        10 msiexec.exe 8 30 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 38 Uses cmd line tools excessively to alter registry or file data 7->38 15 cmd.exe 1 7->15         started        18 cmd.exe 1 7->18         started        20 conhost.exe 7->20         started        28 C:\Users\user\...\Application Signer.cmd, ASCII 10->28 dropped 30 C:\Windows\Installer\MSIF083.tmp, PE32 10->30 dropped 32 C:\Windows\Installer\MSIEFF5.tmp, PE32 10->32 dropped 22 msiexec.exe 1 12 10->22         started        signatures5 process6 signatures7 40 Uses cmd line tools excessively to alter registry or file data 15->40 24 reg.exe 1 15->24         started        26 reg.exe 1 1 18->26         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-09-14 13:29:46 UTC
File Type:
Binary (Archive)
Extracted files:
83
AV detection:
9 of 37 (24.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f4bcbbtbiyb6ctbvfp6gypk5ufimlowfsyj7dmwvw4xorec3uftq._file
Verdict:
malicious
Similar samples:
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
Metamorfo
439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Metamorfo
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
Metamorfo
62e2fa30b9309e21ce982103f6511d2b61b762e903312bdf8939863352a5fdd8
Metamorfo
83355a82abf8feb73cf733551b778e2465f165a73df95318a6c6f003a3e00d79
Metamorfo
dc4c16b06d4ec0156176b2ec6eeeaccfa6de98de3de33d9ea352a095bf79ce6d
Metamorfo
+ 272 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/230914-smbb8ach2y/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

Microsoft Software Installer (MSI) msi 2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448669/

Comments