MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c
SHA3-384 hash: 30af090a888956caac160ed56178843fbc1ae35894599f958e778c1c48b9325ab651686ebfd4f3767f11c4d77b0de1fa
SHA1 hash: b84012caf370c41a8ec2ebb2e0f0ba5afca943b1
MD5 hash: a2399e0d5f4608d5496d2d217466725e
humanhash: romeo-california-sixteen-mirror
File name:Payment-Extract-View-ID440d51b2-7543-4e55-ac70-8f14b512146d.msi
Download: download sample
File size:555'520 bytes
First seen:2021-06-07 05:16:23 UTC
Last seen:2021-06-07 06:21:46 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:GoOUYCtkeYbS9L/RuMuwLocopMlVSCS4T7lAO5:GoVYCtkeYe9oWVRT7lAO
Threatray 49 similar samples on MalwareBazaar
TLSH 52C48D11B2D6C537C56E06B0362E97AA4529BDA48BF2C0FB13C82D1E1D739C15736EE2
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164805/
Detection(s):
SecuriteInfo.com.JS.Trojan.Cryxos.1130.8374.9623.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797757
Signature
Antivirus detection for dropped file
Contains functionality to access PhysicalDrive, possible boot sector overwrite
Contains functionality to detect sandboxes (registry SystemBiosVersion/Date)
Contains functionality to detect sleep reduction / modifications
Contains functionality to detect virtual machines (IN, VMware)
Contains functionality to infect the boot sector
Creates files in alternative data streams (ADS)
Drops PE files to the user root directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 430151 Sample: Payment-Extract-View-ID440d... Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 36 Antivirus detection for dropped file 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Multi AV Scanner detection for submitted file 2->40 7 TyRuqTpd.exe 7 7 2->7         started        12 TyRuqTpd.exe 8 3 2->12         started        14 msiexec.exe 4 5 2->14         started        16 msiexec.exe 3 2->16         started        process3 dnsIp4 28 appnovoacesso.com 172.67.164.203, 443, 49730 CLOUDFLARENETUS United States 7->28 22 C:\Users\user\TyRuqTpd.exe, PE32 7->22 dropped 42 Contains functionality to detect virtual machines (IN, VMware) 7->42 44 Contains functionality to detect sandboxes (registry SystemBiosVersion/Date) 7->44 46 Contains functionality to access PhysicalDrive, possible boot sector overwrite 7->46 58 4 other signatures 7->58 30 192.168.2.1 unknown unknown 12->30 24 C:\ProgramData\TEMP:697F2011, data 12->24 dropped 48 Antivirus detection for dropped file 12->48 50 Multi AV Scanner detection for dropped file 12->50 52 Creates files in alternative data streams (ADS) 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 32 googlegroups.l.googleusercontent.com 142.250.102.137, 443, 49718 GOOGLEUS United States 14->32 34 a5ae9877-a-62cb3a1a-s-sites.googlegroups.com 14->34 26 C:\Users\user\AppData\Local\drive2, PE32 14->26 dropped 56 Uses shutdown.exe to shutdown or reboot the system 14->56 18 shutdown.exe 1 14->18         started        file5 signatures6 process7 process8 20 conhost.exe 18->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c/
Threat name:
Script.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2021-06-06 02:39:58 UTC
AV detection:
7 of 47 (14.89%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=houil76z7mzelkkrh4n5rrwadtafhf3la6m4b6cwvkmmn2gqhiwa._file
Verdict:
unknown
Similar samples:
0240347f0a7e6318facda5d29103c2dba44ef0d45f76706cd5ade058a69c0c55
0aa0c65b1c37512536706d22a19af44e4ba91f8406bee0b1cdf691a050e8e7f0
111d1529eb5320465bc09a12146b321b0f4409372a8b73048b7798904082068c
7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548
a00f40db9ba7257068bb17d72e399d6a6651c2d459dbe026537131ff9baef6eb
a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda
acd0ae8b296ee3fd7d01547b5220877770538fb76144b237f81377e3241726b3
b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5
ba67c7d19ae5f1e164777227739631ca2187406a447edc218f4807e986ea3430
fcfd08ece32e24fea0ff980a4cb63afb080b5b4d39875452b91e373458e000bb
+ 39 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210607-45a6tlw5sa/
Behaviour
Modifies data under HKEY_USERS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Microsoft Software Installer (MSI) msi 3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/164805/

Comments