MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980
SHA3-384 hash: 0307b8e8da8af8aa5252cef9524f9facc32050e64b8d624c1a48da9f6d228c241bc0f2c81560e56f5974160ad5243088
SHA1 hash: c46c674465c3a0e68710b7932a63cdd87cb32e7d
MD5 hash: 6a4b83674db39468c27616888fc10cab
humanhash: lima-kansas-hot-echo
File name:SecuriteInfo.com.Trojan.Siggen21.1874.13361.18609
Download: download sample
File size:46'179'328 bytes
First seen:2024-04-11 00:23:01 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:x5Y4ntUOJwPxk7Q8cMr5LHBNI2SFDLXhWs6yWN+vV4hJei6Y99wDnvkFJtrSI:vY4tUtxV8cM9BN1SF916xN+q56YwDvkM
Threatray 162 similar samples on MalwareBazaar
TLSH T198A73330BCD34621CB4D0EFA9552EB4BD96B6D2C072011AB65D631682FB18FCD2B65CE
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter SecuriteInfoCom
Tags:msi signed

Code Signing Certificate

Organisation:DRail Software
Issuer:Sectigo Public Code Signing CA R36
Algorithm:sha384WithRSAEncryption
Valid from:2021-11-08T00:00:00Z
Valid to:2024-12-04T23:59:59Z
Serial number: 7af80d0a64df8f14c1a2782f921e3642
Thumbprint Algorithm:SHA256
Thumbprint: 228f205df7297d9ed7884d64d583b2bf4777455e39cfe7bf0dff77d042a34825
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
FR FR
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
CAB crypto expand fingerprint installer keylogger lolbin packed remote shell32
Link:
https://www.filescan.io/uploads/66172d6d6e53ce7981ec0740/reports/b5159085-455e-4a76-9ba6-9ff650dc625b/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980
Result
Threat name:
n/a
Detection:
suspicious
Classification:
evad
Score:
24 / 100
Link:
https://www.joesandbox.com/analysis/1424247
Signature
Contains functionality to detect sleep reduction / modifications
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1424247 Sample: SecuriteInfo.com.Trojan.Sig... Startdate: 11/04/2024 Architecture: WINDOWS Score: 24 50 www.anyrail.com 2->50 54 Tries to detect virtualization through RDTSC time measurements 2->54 56 Contains functionality to detect sleep reduction / modifications 2->56 8 msiexec.exe 127 66 2->8         started        11 AnyRail6.exe 3 4 2->11         started        13 msiexec.exe 14 2->13         started        signatures3 process4 file5 34 C:\Program Files (x86)\...\ARupdater.exe, PE32 8->34 dropped 36 C:\Windows\Installer\MSI5F54.tmp, PE32 8->36 dropped 38 C:\Windows\Installer\MSI4A43.tmp, PE32 8->38 dropped 46 7 other files (none is malicious) 8->46 dropped 15 msiexec.exe 8->15         started        17 msiexec.exe 8->17         started        19 msiexec.exe 8->19         started        21 ARupdater.exe 4 16 11->21         started        25 splwow64.exe 1 11->25         started        27 splwow64.exe 11->27         started        40 C:\Users\user\AppData\Local\Temp\MSI82A.tmp, PE32 13->40 dropped 42 C:\Users\user\AppData\Local\...\MSI6A80.tmp, PE32 13->42 dropped 44 C:\Users\user\AppData\Local\Temp\MSI693.tmp, PE32 13->44 dropped 48 6 other files (none is malicious) 13->48 dropped process6 dnsIp7 52 www.anyrail.com 141.138.168.128, 443, 49715, 49717 ANTAGONIST-ASNL Netherlands 21->52 32 C:\Users\user\AppData\Local\...\ARupdater.exe, PE32 21->32 dropped 29 ARupdater.exe 21->29         started        file8 process9 signatures10 58 Contains functionality to detect sleep reduction / modifications 29->58
Score:
54%
Verdict:
Susipicious
File Type:
ARCHIVE
Link:
https://malprob.io/report/32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gldjde3p2hkolauym3y2l2co4h4rvppq52yjmohntofujjo4pgaa._file
Verdict:
unknown
Similar samples:
2b12b31c57f35f67b1474aee1e15394b68e45d011498b8fe5693326ca2006784
3fae6ed302ceffd96d4b2d6e64a2e80253ea21b729e81bea8095c4ad4d4d4227
70492103fe59217c37a64ab3bbf7d53498822d6b167f8fe1c5dbcd250a115f51
858747c6d0f322c687f3f59b246f99e52a82d4ccf5377037b40c5014f2c41dfc
8d441460c0ead100fb238baf71938be06acad7686fc13ed817b56bf28e62d348
8e84ca61bdf321648cf32a3136959d068e3b411a47a3994700a77c5d93febf23
f1291b0abd43016291d6d3f9521ceca4eab04ba5b5cf9085f1eb1e02040759a1
+ 152 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240411-aphvzafc73/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/32c691936fd1d4e5829866f1a5e84ee1f91abdf0eeb09638ed9b8b44a5dc7980

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_indirect_function_call_3
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments