MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25
SHA3-384 hash: 01663770ad433c557db6cf6d4fac7c107e9e2044dc78fe661ae5868c84afcaf85ad0362839763a3e2cbe310726befc4b
SHA1 hash: 8a3fc26d8bbe27881c7d758a3b9ce80e5bd23c6d
MD5 hash: a56f782af2f9cf140dc1684d7081fd6c
humanhash: east-autumn-echo-london
File name:Processo 17-02-2023 WVE裆.msi
Download: download sample
File size:8'485'376 bytes
First seen:2023-02-17 06:44:24 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:Hpda9dE//65tj1PUXlFOIKthKDGRbDR7xuXp6cqZix5e:JdHy5/UVYthKD6DRduXpRUm
Threatray 199 similar samples on MalwareBazaar
TLSH T14286330B30CE9B7BE9960372463FA32767655C60512202337275FE165EF22A867E73E4
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter ankit_anubhav
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
TH TH
Vendor Threat Intelligence
Detection:
BumbleBeeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/367542/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed shell32.dll
Link:
https://www.filescan.io/uploads/63ef226fc7a082600e465c10/reports/343c9ff9-454d-437f-b369-f77b3e04f44d/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1177713
Signature
Antivirus detection for dropped file
Creates autostart registry keys with suspicious names
Drops PE files to the document folder of the user
Found potential ransomware demand text
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Snort IDS alert for network traffic
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 810536 Sample: Processo 17-02-2023 WVE#U88c6.msi Startdate: 17/02/2023 Architecture: WINDOWS Score: 96 52 Snort IDS alert for network traffic 2->52 54 Antivirus detection for dropped file 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 3 other signatures 2->58 7 msiexec.exe 12 31 2->7         started        10 Uj070HX9.7P6.exe 2->10         started        13 Uj070HX9.7P6.exe 2->13         started        15 msiexec.exe 3 2->15         started        process3 file4 38 C:\Windows\Installer\MSIDFB8.tmp, PE32 7->38 dropped 40 C:\Windows\Installer\MSIDE8E.tmp, PE32 7->40 dropped 42 C:\Users\user\Documents\x01x03x.exe, PE32 7->42 dropped 44 2 other files (1 malicious) 7->44 dropped 17 x01x03x.exe 2 22 7->17         started        22 msiexec.exe 7->22         started        72 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->72 74 Overwrites code with function prologues 10->74 76 Drops PE files to the document folder of the user 15->76 signatures5 process6 dnsIp7 46 webattach.mail.yandex.net 87.250.251.147, 443, 49696 YANDEXRU Russian Federation 17->46 48 bit.ly 67.199.248.11, 443, 49695 GOOGLE-PRIVATE-CLOUDUS United States 17->48 30 C:\Uj070HX9.7P6\libwinpthread-1.dll, PE32 17->30 dropped 32 C:\Uj070HX9.7P6\libpython3.8.dll, PE32 17->32 dropped 34 C:\Uj070HX9.7P6\libgcc_s_dw2-1.dll, PE32 17->34 dropped 36 2 other malicious files 17->36 dropped 60 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->60 62 Overwrites code with function prologues 17->62 64 Tries to detect virtualization through RDTSC time measurements 17->64 24 Uj070HX9.7P6.exe 1 3 17->24         started        28 conhost.exe 17->28         started        file8 signatures9 process10 dnsIp11 50 4.198.64.10, 49697, 80 LEVEL3US United States 24->50 66 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 24->66 68 Creates autostart registry keys with suspicious names 24->68 70 Tries to detect virtualization through RDTSC time measurements 24->70 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25/
Verdict:
malicious
Similar samples:
1e5c7dcfbe4a1e9da06229b4512229c463b0268832b9cb6cdb35a1153963be37
37923fb04b4ee3103e82cb67c78febda94b8ce7c93ef35d90bb8ff371600342b
56d901c98e235d2c02936b0553839e7fec6bec501097f87996a47da1f0ae501c
58ae170573fd183ada1906291ca170724608a6a6217d84a6e5f0e400c3b1f481
c5b4ef6efd9f7da867cceb90761c47c62e882bce0cc20ca88f5f73fb7308c01c
d72645347b3fa6134cc416b6b9d73eec9d4ef2af4dbf26c6b91da795144c394c
eed25e577021fe8f43b3b78c7ce7bd0ec0087fd53258536f262533d0cae4177f
+ 189 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/230217-hh2y9seb73/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/35c2607c6670/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/367542/

Comments