MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301
SHA3-384 hash: d89dc7f406821699503667f917d7dd2ad27f9f8afec2c728a6277ead9c07cb941b1fbf87723999c7d4e1d0c71c79a092
SHA1 hash: 86e4c86f5dd46c6d98f60d75ec0dd4837a7041e1
MD5 hash: dd28ac25432b831336d6070736569219
humanhash: high-item-cat-romeo
File name:TBGTeWF.msi
Download: download sample
File size:4'915'200 bytes
First seen:2023-06-19 08:27:23 UTC
Last seen:2023-06-19 13:24:28 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:updSvPe+Y8YsOs/7mE4GtTmYGcLs8AezN7dXmJ0zjxq7lyMbWi1+xl5:upYG+YUOs7kGtdG9kdJB+lyMbJ1u5
Threatray 26 similar samples on MalwareBazaar
TLSH T197368C227DA26A69C1144E307D9FF77F132F5EE1960C856E523ABDE82A3253067327D0
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
80
Origin country :
HK HK
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/400343/
Detection(s):
SecuriteInfo.com.Win32.TrojanX-gen.14373.3142.UNOFFICIAL
Create hunting rule

Verdict:
No Threat
Threat level:
  2/10
Confidence:
100%
Tags:
expand.exe fingerprint lolbin packed shell32.dll
Link:
https://www.filescan.io/uploads/6490119210461c2d676a6176/reports/8cd65c89-8098-4fab-adfe-13a4b1429d85/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1257189
Signature
Contains functionality to modify clipboard data
Deletes itself after installation
Detected unpacking (changes PE section rights)
Drops executables to the windows directory (C:\Windows) and starts them
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 890209 Sample: TBGTeWF.msi Startdate: 19/06/2023 Architecture: WINDOWS Score: 84 72 Multi AV Scanner detection for dropped file 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 Detected unpacking (changes PE section rights) 2->76 78 PE file has a writeable .text section 2->78 9 msiexec.exe 94 30 2->9         started        12 idzkTg.exe 2->12         started        15 svchost.exe 2->15         started        17 3 other processes 2->17 process3 file4 58 C:\Windows\Installer\MSID9B.tmp, PE32 9->58 dropped 60 C:\Windows\Installer\MSI3F23.tmp, PE32 9->60 dropped 62 C:\Windows\Installer\MSI1117.tmp, PE32 9->62 dropped 19 msiexec.exe 5 9->19         started        94 Drops executables to the windows directory (C:\Windows) and starts them 12->94 21 idzkTg.exe 12->21         started        signatures5 process6 dnsIp7 24 TBGTeWF.exe 3 19->24         started        28 expand.exe 4 19->28         started        30 cmd.exe 19->30         started        32 2 other processes 19->32 64 45.112.205.108, 2022, 49185, 49186 HKKFGL-AS-APHKKwaifongGroupLimitedHK Hong Kong 21->64 process8 file9 48 C:\idzkTg.exe, PE32 24->48 dropped 50 Adobe Flash Player...iveX_34.0.0.211.exe, PE32 24->50 dropped 52 C:\Users\user\AppData\...\_@21A4.tmp (copy), PE32 24->52 dropped 86 Drops executables to the windows directory (C:\Windows) and starts them 24->86 34 idzkTg.exe 2 24->34         started        38 Adobe Flash Player ActiveX_34.0.0.211.exe 3 237 24->38         started        54 C:\Users\user\AppData\...\TBGTeWF.exe (copy), PE32 28->54 dropped 56 C:\...\83d997c9b1261d40a1b5c40a9a8cfdef.tmp, PE32 28->56 dropped signatures10 process11 dnsIp12 46 C:\Windows\SysWOW64\idzkTg.exe, PE32 34->46 dropped 80 Multi AV Scanner detection for dropped file 34->80 82 Machine Learning detection for dropped file 34->82 84 Deletes itself after installation 34->84 41 idzkTg.exe 34->41         started        44 cmd.exe 34->44         started        66 488928.ovslegodl.sched.ovscdns.com 43.132.66.50, 443, 49184 LILLY-ASUS Japan 38->66 68 www.flash.cn.cdn.dnsv1.com 38->68 70 www.flash.cn 38->70 file13 signatures14 process15 signatures16 88 Multi AV Scanner detection for dropped file 41->88 90 Machine Learning detection for dropped file 41->90 92 Contains functionality to modify clipboard data 41->92
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-06-19 08:28:05 UTC
File Type:
Binary (Archive)
Extracted files:
551
AV detection:
7 of 37 (18.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i2gxd7d6pjwxfvi4f5q7mrr5mjppfh7dxeazru5wzq6prewsimaq._file
Verdict:
malicious
Similar samples:
0a06a6d30c526cbc7cf06800d016d00aed30e37f549629086a98e2a1b6500d17
13e6ff5cb9fdf2ba6560edda8afa17724d14122dd087af29004c7684cb6c4252
383b0abb5274e9c87f8d42b0dfca92d82ea28ac940d55d25787a0c3394df6a93
45982d6a7674a3ff4d2f28e95963d74729e0cb3059c08ef2e4c235182bf4591d
746f678c60f4673efadda92d819466cc102cbeafe3b39dbddd165bb552779541
788df2cfd4c197c811a9ec741ad14fe7475ca9b4d0d0b0a1b895ae51bec61806
db6edb488bdadbd506ec6d28710abb9c5cdd844fc394fa7e8293710f4afea8e9
e60400f9da142b7bb4e83bfa2d964e3ed937dd350d2c6881c21daa826757bac3
e8d81e7b25128035e30e271708d66efaf12c490114042e1e493a0c816d374414
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery upx
Link:
https://tria.ge/reports/230619-kczytscf42/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/468d71fc7e7a6d72d51c2f61f6463d625ef29fe3b90198d3b6cc3cf892d24301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:meth_peb_parsing
Create hunting rule
Author:Willi Ballenthin

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/400343/

Comments