MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
SHA3-384 hash: 763fbc0c4f58b93942fa8cd9f0f5674c07849deeaa1f104b91cdff056822c057ea74bd238ba5ab342e585bae3339b56e
SHA1 hash: 12410d6f88525bc5c11ce4e009053c04e42bf452
MD5 hash: 0fde8516a3f519ff250a0571ea0c1b68
humanhash: early-carpet-alpha-earth
File name:z32BOLET0120923(1).msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:540'160 bytes
First seen:2023-09-12 19:02:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:T84mlY5AVTqp4nb5rQPzfGXSjptsrYI21wlD:T84mlY5Awp4b5HXSjp2b
Threatray 3 similar samples on MalwareBazaar
TLSH T1A2B4E006B2D54B77E4D70372179B93629F72EC348762812B1389750E2EF1694B7A33E2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter FXOLabs
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448248/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/6500b5e725e2ece4df6bb39c/reports/566689a9-203f-4a5d-9ebc-c8bbf7eb7512/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308504
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308504 Sample: z32BOLET0120923(1).msi Startdate: 15/09/2023 Architecture: WINDOWS Score: 100 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 Antivirus detection for dropped file 2->65 67 5 other signatures 2->67 8 msiexec.exe 8 30 2->8         started        11 cmd.exe 1 2->11         started        14 CDex.exe 2->14         started        16 2 other processes 2->16 process3 file4 49 C:\Windows\Installer\MSI6C70.tmp, PE32 8->49 dropped 51 C:\Windows\Installer\MSI6BE3.tmp, PE32 8->51 dropped 53 C:\Windows\Installer\436aca.msi, Composite 8->53 dropped 55 C:\Users\user\...\Application Signer.cmd, ASCII 8->55 dropped 18 msiexec.exe 3 23 8->18         started        71 Uses cmd line tools excessively to alter registry or file data 11->71 23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        27 conhost.exe 11->27         started        signatures5 process6 dnsIp7 57 20.150.193.101, 49727, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 18->57 41 C:\Users\Public\...\libsndfile-1.dll, PE32 18->41 dropped 43 C:\Users\Public\...\libmusicbrainz.dll, PE32 18->43 dropped 45 C:\Users\Public\...\cdrom_drive_offsets.txt, PE32 18->45 dropped 47 2 other malicious files 18->47 dropped 69 Uses cmd line tools excessively to alter registry or file data 18->69 29 CDex.exe 1 5 18->29         started        33 reg.exe 1 18->33         started        35 reg.exe 1 23->35         started        37 reg.exe 1 1 25->37         started        file8 signatures9 process10 dnsIp11 59 4.231.173.65 LEVEL3US United States 29->59 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->73 75 Tries to evade analysis by execution special instruction (VM detection) 29->75 77 Tries to detect virtualization through RDTSC time measurements 29->77 79 Hides threads from debuggers 29->79 39 conhost.exe 33->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 19:03:06 UTC
File Type:
Binary (Archive)
Extracted files:
83
AV detection:
11 of 22 (50.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iop3uf6tp5p3ineh33h5c5bxckdb7qagpwmp6qlr2qoklithmsfa._file
Verdict:
malicious
Similar samples:
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
Metamorfo
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
Metamorfo
e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b
Metamorfo
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230912-xqb55shf42/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

Microsoft Software Installer (MSI) msi 439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448248/

Comments