MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4720f1157f89c7fd2e13f9d51533641bff6ef02746e038231ca56b7f96f3826a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4720f1157f89c7fd2e13f9d51533641bff6ef02746e038231ca56b7f96f3826a
SHA3-384 hash: 5ee0534d753ae8120c147fc6bb21ab77751b348dc5406c7bb5a0d924c7b9a52ddd0a0d8c526b8215c2111b5210972d5c
SHA1 hash: 1201fde4929fcee34f14f45890ac8218e8c03ddd
MD5 hash: 3688e35cbfc8f8a1476dcbd04705273a
humanhash: freddie-fix-xray-cardinal
File name:3688e35cbfc8f8a1476dcbd04705273a.msi
Download: download sample
Signature Ousaban
Create hunting rule
File size:581'120 bytes
First seen:2021-12-15 09:15:02 UTC
Last seen:2021-12-15 11:23:19 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:e5aYY5A/jJDJdQflxuOhr6IF3CP5pu1jLkHMt5OpLg:e5tY5A/jJDJdMxuqjFt8h
Threatray 1'825 similar samples on MalwareBazaar
TLSH T163C47D0076D6C932CABF0571262A935B0595BD2047B1D9EF13F81F9E3DB29C16236FA1
Reporter abuse_ch
Tags:BRA geo msi ousaban

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/214236/
Detection(s):
SecuriteInfo.com.JS.Heur.Backdoor.2.A3509571.Gen.18512.4832.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61b9b21fdbe06b75d7be3d6c/reports/e3b7c5e6-5a88-4080-8c81-160db3924d0b/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4720f1157f89c7fd2e13f9d51533641bff6ef02746e038231ca56b7f96f3826a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/907697
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Hides threads from debuggers
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Powershell creates an autostart link
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 540173 Sample: cIMLOZ1cev.msi Startdate: 15/12/2021 Architecture: WINDOWS Score: 88 74 Antivirus detection for dropped file 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->78 80 2 other signatures 2->80 8 msiexec.exe 9 30 2->8         started        11 u1MJC1BE6.exe 6 8 2->11         started        15 q6h1ne7.exe 2 2->15         started        17 2 other processes 2->17 process3 dnsIp4 46 C:\Windows\Installer\MSI7ED5.tmp, PE32 8->46 dropped 48 C:\Windows\Installer\MSI7E09.tmp, PE32 8->48 dropped 50 C:\Windows\Installer\MSI7D0E.tmp, PE32 8->50 dropped 52 C:\Windows\Installer\MSI79F0.tmp, PE32 8->52 dropped 19 msiexec.exe 5 10 8->19         started        62 www.painelanalitico.net 11->62 64 painelanalitico.net 186.202.153.33, 443, 49747 LocawebServicosdeInternetSABR Brazil 11->64 66 6 other IPs or domains 11->66 54 C:\Users\user\AppData\Roaming\...\q6h1ne7.exe, PE32+ 11->54 dropped 56 C:\Users\user\AppData\...\imgengine.dll, PE32+ 11->56 dropped 58 C:\Users\user\AppData\...\sptdintf.dll, PE32+ 11->58 dropped 88 Query firmware table information (likely to detect VMs) 11->88 90 Hides threads from debuggers 11->90 92 Tries to detect sandboxes / dynamic malware analysis system (registry check) 11->92 24 cmd.exe 1 11->24         started        file5 signatures6 process7 dnsIp8 60 sunshopfush.net 177.153.55.100, 443, 49728 LocawebServicosdeInternetSABR Brazil 19->60 38 C:\ProgramData\6VDuAYM\u1MJC1BE6.exe (copy), PE32+ 19->38 dropped 40 C:\ProgramData\6VDuAYM\imgengine.dll, PE32+ 19->40 dropped 42 C:\ProgramData\6VDuAYM\sptdintf.dll, PE32+ 19->42 dropped 44 C:\...\Avira.SystrayStartTrigger.exe, PE32+ 19->44 dropped 82 Creates multiple autostart registry keys 19->82 26 powershell.exe 2 20 19->26         started        29 reg.exe 1 1 24->29         started        31 conhost.exe 24->31         started        file9 signatures10 process11 signatures12 84 Powershell creates an autostart link 26->84 33 u1MJC1BE6.exe 2 26->33         started        36 conhost.exe 26->36         started        86 Creates multiple autostart registry keys 29->86 process13 signatures14 68 Query firmware table information (likely to detect VMs) 33->68 70 Hides threads from debuggers 33->70 72 Tries to detect sandboxes / dynamic malware analysis system (registry check) 33->72
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4720f1157f89c7fd2e13f9d51533641bff6ef02746e038231ca56b7f96f3826a/
Threat name:
Script.Trojan.Ousaban
Create hunting rule
Status:
Malicious
First seen:
2021-12-15 09:15:14 UTC
File Type:
Binary (Archive)
Extracted files:
74
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=i4qpcfl7rhd72lqt7hkrkm3edp7w54bhi3qdqiy4uvvx7fxtqjva._file
Verdict:
unknown
Similar samples:
080ee6c068e95db7a776793e167fb4bb9ad0efcb424a400ed3efe697400fc73a
Ousaban
0982c38ddad347ce0ff426106db78f3e51b723d7d90308a970ef43ef84fc8d75
Ousaban
4dd950fcdcd8483ec9346b4a5214931134975c439cf463daa3a0518cfc5db9a6
Ousaban
778c5c85b7aeb0db2367daa8d4e15869330801058c8ee5e9c77fd0c890ac5afc
Ousaban
93e582393fca866d1291b3852e63dbe2e7a1460e9e2ab3d750083f28f4d04e64
Ousaban
9645193a9c27dda91e226282f95aa9f41b71818cfbae43b8e056a77db19655fb
Ousaban
adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9
Ousaban
b6e4d99871249faefd2ed9dab5dd045d3d9ea13b4608262588eb157ddc312a68
Ousaban
dca23b9ad90a78b881238881159d43118072aa625e33ceb45d92ff59479bbb22
Ousaban
e6dff8475541ebddc1f0db47a311eb2c25581b7d5e62af8066d59c283114c2d3
Ousaban
+ 1'815 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/211215-k7w6eshba5/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/4720f1157f89c7fd2e13f9d51533641bff6ef02746e038231ca56b7f96f3826a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/214236/

Comments