MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
SHA3-384 hash: 11178ff889d6a8ea8d982dbb6df606aa2a23f5b581f82a12cfcdc0e6a19d071324cc7fb849b4dfe02db06589f16027d2
SHA1 hash: 17a64e238b7dc11b06302620dd81c1f5e81f74ce
MD5 hash: c373f42b842a723c9def72fe12bb8fc8
humanhash: triple-illinois-nineteen-bravo
File name:BOL_88ZP6MTAWC28GN1TXW0S0OXV3.pdf.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:2'009'600 bytes
First seen:2021-06-30 03:57:51 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:GLVGY5AblMDbCmnGnrijpsX8kU4UUU3UUUtvFOpLjhs6564m:NY5A4bznuijpKLU4UUU3UUUtvFOX
Threatray 2'116 similar samples on MalwareBazaar
TLSH 68956A05BE8E8161DC1146388966D371E7627C241F6D86EBF29ABB2E6F331D09D36313
Reporter cocaman
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168864/
Detection(s):
PUA.Win.Packer.Upx-4
Create hunting rule

SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/809746
Signature
Creates multiple autostart registry keys
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: Ryuk Ransomware
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442157 Sample: BOL_88ZP6MTAWC28GN1TXW0S0OX... Startdate: 30/06/2021 Architecture: WINDOWS Score: 80 38 Multi AV Scanner detection for submitted file 2->38 40 Sigma detected: Ryuk Ransomware 2->40 42 Sigma detected: Execution from Suspicious Folder 2->42 7 msiexec.exe 6 44 2->7         started        11 3yUgc4wrp8G85JU67an52VgHjY4ns3sGYtYSA.Lavasoft.WCAssistant.WinService.EXE 2->11         started        14 3yUgc4wrp8G85JU67an52VgHjY4ns3sGYtYSA.Lavasoft.WCAssistant.WinService.EXE 2->14         started        16 4 other processes 2->16 process3 dnsIp4 36 95.179.187.163, 49715, 80 AS-CHOOPAUS Netherlands 7->36 26 C:\Users\user\AppData\Local\...\Lenamila (4), PE32 7->26 dropped 28 C:\Users\user\AppData\Local\...\Lenamila (2), PE32 7->28 dropped 30 C:\Users\user\AppData\Local\Temp\Lenamila, PE32+ 7->30 dropped 32 5 other files (none is malicious) 7->32 dropped 18 3yUgc4wrp8G85JU67an52VgHjY4ns3sGYtYSA.Lavasoft.WCAssistant.WinService.EXE 2 1 7->18         started        22 reg.exe 1 1 7->22         started        52 Query firmware table information (likely to detect VMs) 11->52 54 Hides threads from debuggers 11->54 56 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->56 file5 signatures6 process7 dnsIp8 34 78.141.229.17, 49731, 80 AS-CHOOPAUS Netherlands 18->34 44 Query firmware table information (likely to detect VMs) 18->44 46 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->46 48 Creates multiple autostart registry keys 18->48 50 2 other signatures 18->50 24 conhost.exe 22->24         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae/
Threat name:
Script-WScript.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2021-06-29 23:57:39 UTC
File Type:
Binary (Archive)
Extracted files:
249
AV detection:
12 of 46 (26.09%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ihnxr6wxstfhboti3erfcevavd3nkb4z576krguionxd34gjewxa._file
Verdict:
malicious
Similar samples:
00aea1d8e6ad3b1e20f2decc617d17c6e8f590ebe705c82d4266d02fbca00f5c
Metamorfo
2131f107d3c701344f650d0413fa83ee2112247d3f2bcff2c5ab6c2de5932f88
Metamorfo
266f8215ba1b531f93fb7567c34088e49ad4de63d9c2726e11caaa6158be9d9a
Metamorfo
73842595c824b3ed06e5e975c9fb247012ea58dba4facc6c1ecb1c7608b30032
Metamorfo
87483d4bb3c1471ff52b52c8c1be35161f1bbbce07b1b8e321406849a01cdd59
Metamorfo
a1226fa2480bd40c0490b5ce5e1407f663a27cbbb77187d70dc8557d78d46c5c
Metamorfo
b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5
Metamorfo
c8b1c11bf16a1052dffb6942d955c31cdad7f0b154e1f855882d4d95359efa54
Metamorfo
d1e3656b4e1c609b2540cff74f59319a52d7fabf4cc512db0c7f9d3e8fe49ec7
Metamorfo
d7088573e0239d3260dc7ff251b3b0e1d3979d854b3d0442f7dc43226f9263ed
Metamorfo
+ 2'106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/210630-n2fq64y79e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Checks BIOS information in registry
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.94
Link:
https://yomi.yoroi.company/submissions/41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

zip 451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba

Metamorfo

Microsoft Software Installer (MSI) msi 41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba
Cape
Cape
https://www.capesandbox.com/analysis/168864/

Comments