MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799
SHA3-384 hash: c8a096e86709c1210144cdc68a564f888d29a13685482784aac4cc6ee4da3c9ed6e837f232dbf6de03d989ddd49edc5c
SHA1 hash: 5bc30f0f540a957d2cc489bbce2c1a7f137069e0
MD5 hash: 5bfe975a60a97c93175c935c6d621e04
humanhash: harry-seventeen-solar-solar
File name:5bfe975a60a97c93175c935c6d621e04.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:6'378'496 bytes
First seen:2021-11-23 19:46:01 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:s+QXPWTFcvpvyZYHAsmSdP33SfWww2wXaJ/Bci89ZaqN+rFzO4bj/y7dYWePRpwp:7Qex8NdP33SfWwwdKDFZj/QLePRpr3
Threatray 176 similar samples on MalwareBazaar
TLSH T10456122072CAC537D6AD02B0156E8B6F59293D210F7284E7A3DCAE3E1AF19C19731E57
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
247
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.36934.16476.815.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/619d44ff02c80febc2a7649d/reports/231c66a7-430e-42cf-9c46-178b7d562dfa/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/895007
Signature
Bypasses PowerShell execution policy
Found Tor onion address
May use the Tor software to hide its network traffic
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Suspicious Script Execution From Temp Folder
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 527489 Sample: YwZpT3p5Rh.msi Startdate: 23/11/2021 Architecture: WINDOWS Score: 72 75 Found Tor onion address 2->75 77 May use the Tor software to hide its network traffic 2->77 79 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->79 81 Sigma detected: Suspicious Script Execution From Temp Folder 2->81 10 msiexec.exe 21 46 2->10         started        13 wscript.exe 2->13         started        16 msiexec.exe 2 2->16         started        process3 file4 59 C:\Windows\Installer\MSIFCD8.tmp, PE32 10->59 dropped 61 C:\Windows\Installer\MSIE39F.tmp, PE32 10->61 dropped 63 C:\Windows\Installer\MSIE275.tmp, PE32 10->63 dropped 65 14 other files (none is malicious) 10->65 dropped 18 msiexec.exe 8 10->18         started        89 Wscript starts Powershell (via cmd or directly) 13->89 22 MRZANK.exe 13->22         started        signatures5 process6 file7 45 C:\Users\user\AppData\Local\...\scrFDAD.txt, Little-endian 18->45 dropped 47 C:\Users\user\AppData\Local\...\scrFDAC.ps1, Little-endian 18->47 dropped 49 C:\Users\user\AppData\Local\...\pssFF45.ps1, Little-endian 18->49 dropped 83 Bypasses PowerShell execution policy 18->83 24 powershell.exe 21 40 18->24         started        signatures8 process9 dnsIp10 73 save.nbanamend.com 104.21.91.13, 443, 49770 CLOUDFLARENETUS United States 24->73 51 C:\JQHPQS\zlib1.dll, PE32 24->51 dropped 53 C:\JQHPQS\tor.exe, PE32 24->53 dropped 55 C:\JQHPQS\tor-gencert.exe, PE32 24->55 dropped 57 11 other malicious files 24->57 dropped 85 Powershell creates an autostart link 24->85 87 Powershell drops PE file 24->87 29 wscript.exe 24->29         started        32 conhost.exe 24->32         started        file11 signatures12 process13 signatures14 91 Wscript starts Powershell (via cmd or directly) 29->91 34 MRZANK.exe 29->34         started        37 powershell.exe 29->37         started        process15 dnsIp16 67 205.185.127.35, 49775, 9100 PONYNETUS United States 34->67 69 213.226.71.164, 49788, 9001 MELBICOM-EU-ASMelbikomasUABNL Germany 34->69 71 4 other IPs or domains 34->71 39 conhost.exe 34->39         started        41 conhost.exe 37->41         started        43 powershell.exe 37->43         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-23 15:42:21 UTC
File Type:
Binary (Archive)
Extracted files:
98
AV detection:
8 of 27 (29.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izh6o72xnwbhgvslww3zo2zydbk5syqbp5g2nnndmoxxrp3yq6mq._file
Verdict:
unknown
Similar samples:
1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
Metamorfo
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
Metamorfo
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
Metamorfo
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
Metamorfo
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
Metamorfo
a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
Metamorfo
af3b8311c191d529461c48cdc5af00df25735fab439aa7570685b6c09635bc9c
Metamorfo
cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
Metamorfo
df00279749a73b854f3d6415a49e7cd0ea507b69b510d7505f2ca7c908d25a4a
Metamorfo
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
Metamorfo
+ 166 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211123-ygys8aece4/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Malware Config
Dropper Extraction:
https://autoatendimento.bb.com.br/apf-apj-acesso/#/transacao/acesso-empresa/0?v=2.28.10&t=1&tipoCliente=empresa
https://www2.bancobrasil.com.br/aapf/login.html#/acesso-aapf-agencia-conta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Metamorfo

Microsoft Software Installer (MSI) msi 464fe77f576d8273564bb5b7976b381855d962017f4da6b5a363af78bf788799

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1809401/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/208798/

Comments