MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f
SHA3-384 hash: c125f8fe90b387c9e2a8ad2b755f465c57ab8b1a39c1d1df310e28ea12689bb04e2ed7465eda5a95cd063d7b012aaf34
SHA1 hash: e74fbd1845efb310c80074e8128500cb330f214d
MD5 hash: 0d26fafe1d5ee29625792f952b5a6e08
humanhash: asparagus-louisiana-mockingbird-artist
File name:NOT110923.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:540'672 bytes
First seen:2023-09-15 07:03:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:aO3KsY5ALTqp4nbTrPPzfGXSjptsrYI21wlD:aO3KsY5Aip4bT2XSjp2b
Threatray 7 similar samples on MalwareBazaar
TLSH T10DB4E006B2D5477BE4D70372179F93628F72EC388772822B1689650E2EF1654B7A33E1
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448767/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/650401e3985359c839077edd/reports/d51023e2-08ff-4e4e-abb0-fee767e1d3c9/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1308744
Signature
Antivirus detection for dropped file
Downloads files with wrong headers with respect to MIME Content-Type
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308744 Sample: NOT110923.msi Startdate: 15/09/2023 Architecture: WINDOWS Score: 92 59 Antivirus detection for dropped file 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 Sigma detected: Drops script at startup location 2->63 65 2 other signatures 2->65 8 msiexec.exe 8 30 2->8         started        11 cmd.exe 1 2->11         started        14 CDex.exe 2->14         started        16 2 other processes 2->16 process3 file4 49 C:\Windows\Installer\MSI16FE.tmp, PE32 8->49 dropped 51 C:\Windows\Installer\MSI15D4.tmp, PE32 8->51 dropped 53 C:\Users\user\...\Application Signer.cmd, ASCII 8->53 dropped 18 msiexec.exe 3 23 8->18         started        69 Uses cmd line tools excessively to alter registry or file data 11->69 23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        27 conhost.exe 11->27         started        signatures5 process6 dnsIp7 55 18.228.137.45, 49727, 80 AMAZON-02US United States 18->55 41 C:\Users\Public\...\libsndfile-1.dll, PE32 18->41 dropped 43 C:\Users\Public\...\libmusicbrainz.dll, PE32 18->43 dropped 45 C:\Users\Public\...\cdrom_drive_offsets.txt, PE32 18->45 dropped 47 2 other malicious files 18->47 dropped 67 Uses cmd line tools excessively to alter registry or file data 18->67 29 CDex.exe 1 3 18->29         started        33 reg.exe 1 18->33         started        35 reg.exe 1 23->35         started        37 reg.exe 1 1 25->37         started        file8 signatures9 process10 dnsIp11 57 4.231.173.65 LEVEL3US United States 29->57 71 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->71 73 Tries to evade analysis by execution special instruction (VM detection) 29->73 75 Tries to detect virtualization through RDTSC time measurements 29->75 77 Hides threads from debuggers 29->77 39 conhost.exe 33->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-09-15 07:04:06 UTC
File Type:
Binary (Archive)
Extracted files:
83
AV detection:
8 of 24 (33.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gl5vsah2uzjjlfs3pmug3yrki3x7ii4rmyewyoqqbdlaa6phywpq._file
Verdict:
malicious
Similar samples:
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
Metamorfo
439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Metamorfo
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
Metamorfo
4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe
Metamorfo
e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b
Metamorfo
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230915-hvx6vacb33/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/448767/

Comments