MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Metamorfo

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba
SHA3-384 hash:	0c0cc47b0127a6c22aeccc60eb56a21e5f86604b4e11ae2f2d6db284862a728fca301eb6bcb2152e801210ce6c5ee7f4
SHA1 hash:	17b71ce8a2df84b9c53f8a0e7f91d072b91e39b8
MD5 hash:	aef5024a83edc00e6540c720d061d4a9
humanhash:	zulu-johnny-autumn-friend
File name:	fatura_vivo_01072021.zip
Download:	download sample
Signature	Metamorfo Create hunting rule
File size:	1'000'313 bytes
First seen:	2021-06-30 03:57:40 UTC
Last seen:	Never
File type:	zip
MIME type:	application/zip
ssdeep	24576:uEaJMhK4nvMnxPwMR6rlUmGFD0ANaE+eW7J:xaehdnUnFw3GLFla9eWl
TLSH	052533172B448BC547D759FF1762A15C84D30C387058B6367AAF4BB8A13B907B32A9BC
Reporter	cocaman
Tags:	MetaMorfo zip

cocaman

Malicious email (T1566.001)
From: "VIVO <contadigital@vivo.com.br>" (likely spoofed)
Received: "from cloud18.sportrender.com (cloud18.sportrender.com [81.31.197.53]) "
Date: "Tue, 29 Jun 2021 23:11:59 +0000"
Subject: "A Conta Digital Vivo chegou"
Attachment: "fatura_vivo_01072021.zip"

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-4

SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba/

Threat name:

Script-WScript.Downloader.Bomber

Status:

Malicious

First seen:

2021-06-29 23:56:11 UTC

File Type:

Binary (Archive)

Extracted files:

250

AV detection:

11 of 46 (23.91%)

Threat level:

3/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iunu7nf32ejsgbnhbbdnc6bsdqon6ki5khcrs5h7lpvzqz2ocs5a._file

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion persistence themida trojan

Link:

https://tria.ge/reports/210630-xm7dsw8pws/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Adds Run key to start application

Checks whether UAC is enabled

Enumerates connected drives

Checks BIOS information in registry

Loads dropped DLL

Themida packer

Blocklisted process makes network request

Executes dropped EXE

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

zip 451b4fb4bbd1132305a70846d178321c1cdf291d51c51974ff5beb98674e14ba

(this sample)

Metamorfo

msi 41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae

Delivery method

Distributed via e-mail attachment

Dropping

SHA256 41db78fad794ca70ba68d9225112a0a8f6d50799effca89a88736e3df0c925ae

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample