MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 8


Intelligence 8 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe
SHA3-384 hash: 57d16639a757911979d5e80df0effb1147777492f2194b722f47b87ad4db1cb49b4a262c76e887044afe7c1d67f08cf6
SHA1 hash: a2016bd8700f4c9004be1b04680652cfe2a73957
MD5 hash: df4ba86eded3e2e4975a989d96c3ce6f
humanhash: early-louisiana-network-dakota
File name:BOLET0120923 (1).msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:540'160 bytes
First seen:2023-09-13 08:04:14 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:MsdElY5AVTqp4nbTroPzfGXSjptsrYI21wlD:MsdElY5Awp4bTfXSjp2b
Threatray 6 similar samples on MalwareBazaar
TLSH T198B4E006B2D54B76E4D70372179F93628F72EC348772812B1289750E2EF1694B7A33E2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
116
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/448330/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/65016d2f69c1cf3b6ab4b17e/reports/13708a48-3b76-4617-9365-5add801ac258/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1308321
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Drops script at startup location
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1308321 Sample: BOLET0120923_(1).msi Startdate: 14/09/2023 Architecture: WINDOWS Score: 100 61 Antivirus detection for URL or domain 2->61 63 Antivirus detection for dropped file 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 4 other signatures 2->67 8 msiexec.exe 8 30 2->8         started        11 cmd.exe 1 2->11         started        14 CDex.exe 2->14         started        16 2 other processes 2->16 process3 file4 49 C:\Windows\Installer\MSIB2D7.tmp, PE32 8->49 dropped 51 C:\Windows\Installer\MSIB249.tmp, PE32 8->51 dropped 53 C:\Windows\Installer\3bb140.msi, Composite 8->53 dropped 55 C:\Users\user\...\Application Signer.cmd, ASCII 8->55 dropped 18 msiexec.exe 3 23 8->18         started        71 Uses cmd line tools excessively to alter registry or file data 11->71 23 cmd.exe 1 11->23         started        25 cmd.exe 1 11->25         started        27 conhost.exe 11->27         started        signatures5 process6 dnsIp7 57 4.228.64.61, 49713, 80 LEVEL3US United States 18->57 41 C:\Users\Public\...\libsndfile-1.dll, PE32 18->41 dropped 43 C:\Users\Public\...\libmusicbrainz.dll, PE32 18->43 dropped 45 C:\Users\Public\...\cdrom_drive_offsets.txt, PE32 18->45 dropped 47 2 other malicious files 18->47 dropped 69 Uses cmd line tools excessively to alter registry or file data 18->69 29 CDex.exe 1 5 18->29         started        33 reg.exe 1 18->33         started        35 reg.exe 1 23->35         started        37 reg.exe 1 1 25->37         started        file8 signatures9 process10 dnsIp11 59 4.231.173.65 LEVEL3US United States 29->59 73 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->73 75 Tries to evade analysis by execution special instruction (VM detection) 29->75 77 Tries to detect virtualization through RDTSC time measurements 29->77 79 Hides threads from debuggers 29->79 39 conhost.exe 33->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe/
Threat name:
Script-WScript.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2023-09-12 18:05:50 UTC
File Type:
Binary (Archive)
Extracted files:
83
AV detection:
11 of 23 (47.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j5mt5pk53zxu7abm2gppvv3i3pnuisssp4pak6slil5jsb76il7a._file
Verdict:
malicious
Similar samples:
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
Metamorfo
439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Metamorfo
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
Metamorfo
e4780a285befbc2419d74e2c3bcecffd0e128a8e1f8db367de072b37d59e942b
Metamorfo
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230913-jyvqkaac9x/
Behaviour
Checks SCSI registry key(s)
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/4f593ebd5dde/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

Microsoft Software Installer (MSI) msi 4f593ebd5dde6f4f802cd19efad768dbdb444a527f1e057a4b42fa9907fe42fe

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/448330/

Comments