MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 410b2d2c96a2d1f12202fc7a5c910fda0def3ac33dee062ff00a60cd11f8dc8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 410b2d2c96a2d1f12202fc7a5c910fda0def3ac33dee062ff00a60cd11f8dc8d
SHA3-384 hash: 64e2725ef97e5b1fc4b85c77f0fcb726917600ab402aaea5775efa97635fcec626e997c6a3e5fbd79290dfb99791cb4d
SHA1 hash: 37fea5730775a1923306efff0ebfdb1178376a6c
MD5 hash: 3030d0b1335357da24960cd99e54ef02
humanhash: hotel-sad-triple-violet
File name:ji89UHECQSfP.msi
Download: download sample
Signature Ousaban
Create hunting rule
File size:15'517'184 bytes
First seen:2022-04-21 07:41:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:9lP5oHn5N4B0PStM0d/4yLTLM6p1EC3OrP8sbvnF2wz2:75RCPaMq/tLPM6p17oP8sbtz2
Threatray 15 similar samples on MalwareBazaar
TLSH T179F633323345C636DA6E4270652B939E4119BAB34B7140DBA7C9693BC8B40C3A37DFD6
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter JAMESWT_WT
Tags:banker brazil msi ousaban spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.26057.32300.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/62610acfffe27d511920f526/reports/60305916-13c0-4e7c-8f60-4f4c72699576/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/410b2d2c96a2d1f12202fc7a5c910fda0def3ac33dee062ff00a60cd11f8dc8d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/980439
Signature
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 612926 Sample: ji89UHECQSfP.msi Startdate: 21/04/2022 Architecture: WINDOWS Score: 76 39 Multi AV Scanner detection for dropped file 2->39 41 Sigma detected: Drops script at startup location 2->41 43 Machine Learning detection for dropped file 2->43 45 3 other signatures 2->45 7 msiexec.exe 15 34 2->7         started        10 wscript.exe 1 2->10         started        12 msiexec.exe 2 2->12         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\zlibai.dll, PE32 7->25 dropped 27 C:\Users\user\AppData\Roaming\...\intune.exe, PE32 7->27 dropped 29 C:\Windows\Installer\MSIF72.tmp, PE32 7->29 dropped 31 5 other files (none is malicious) 7->31 dropped 14 intune.exe 1 4 7->14         started        19 msiexec.exe 7->19         started        21 cmd.exe 1 10->21         started        process5 dnsIp6 35 iofajfioshnguiosfui.from-pa.com 20.226.20.129, 49745, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 14->35 33 C:\Users\user\AppData\...\userapivqdacxe.vbs, ASCII 14->33 dropped 37 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 14->37 23 conhost.exe 21->23         started        file7 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/410b2d2c96a2d1f12202fc7a5c910fda0def3ac33dee062ff00a60cd11f8dc8d/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=iefs2lewuli7ciqc7r5fzeip3ig66owdhxxaml7qbjqm2epy3sgq._file
Verdict:
malicious
Similar samples:
156918efc8e657852589588c4211c99320605a0a0ecbb0a8fc22b3554e048847
Ousaban
522db4e152583bbf8b7ae3690216acb186fd67f35046d25b2dfb088e6f4aac9d
Ousaban
52b32d417e469fddb09b2a14747de6b8dcef327c8f5f76bcec79bc678be87c54
Ousaban
59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b
Ousaban
9428536f635ecadaca9288fa0150e92bdcdac7fe8de03e419e032ab0664c86fa
Ousaban
a33e9a773fa7cbf1f8494b58c87480a4e9a88eadedab725918a07536fbb7cde8
Ousaban
af5a401ad1b885562640ee6206f950bfb9f7de9ca3df0e43df834a8cdc9d6f56
Ousaban
c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff
Ousaban
e30b091e3162eed18f8c1b6a69bb7a28a4c722128456ee36a326a79a3367f514
Ousaban
ea6793e52d123e1381764d06e53d0fa77ef9172c16488090660bcf5bce1df03b
Ousaban
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220421-jjpk1aacbn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Drops startup file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/410b2d2c96a2d1f12202fc7a5c910fda0def3ac33dee062ff00a60cd11f8dc8d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments