MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
SHA3-384 hash: 2f282c85a311f688a0c6f4122591f0b0006a0ae2600b913760146aed80a4cb76cca09bce8c4e1fca2d286fd12a8d5baa
SHA1 hash: 39427ea475e305e639ecf14984ffaf42c7442cfe
MD5 hash: f664bd350fe4de5d2d003daeb9b4fdf4
humanhash: chicken-oxygen-uniform-delta
File name:MS.System.Critical.Update.Win10.0-KB17753003.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:1'249'280 bytes
First seen:2022-05-09 15:32:29 UTC
Last seen:2022-06-01 13:25:27 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:HfJj3ZhpUNmojx+HwSm8757B0Ds0Dw7bx:HIkKxzknx
Threatray 43 similar samples on MalwareBazaar
TLSH T151454E2A3A432381F5FE6570D4FB92214919DDF45D17B3292C4D3ACCCCBD8E5682AE68
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware

Intelligence

File Origin
# of uploads :
3
# of downloads :
361
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.multipledetections.27828.13198.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
magniber packed packed ransomware wacatac
Link:
https://www.filescan.io/uploads/62793430bd5c76586e255d3d/reports/69cd8be1-bfad-4e3e-b8ed-9f5bf618a0ec/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/990304
Signature
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 622800 Sample: MS.System.Critical.Update.W... Startdate: 09/05/2022 Architecture: WINDOWS Score: 72 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 74 C:\Windows\Installer\MSI8E17.tmp, PE32+ 10->74 dropped 15 msiexec.exe 3 10->15         started        process5 file6 76 C:\Users\user\Desktop\...76EBFQQYWPS.docx, data 15->76 dropped 78 C:\Users\user\Desktop\LSBIHQFDVT.xlsx, data 15->78 dropped 80 C:\Users\user\Desktop\...\IPKGELNTQY.docx, data 15->80 dropped 82 C:\Users\user\Documents\IPKGELNTQY.xlsx, COM 15->82 dropped 86 Modifies the context of a thread in another process (thread injection) 15->86 88 Maps a DLL or memory area into another process 15->88 90 Creates a thread in another existing process (thread injection) 15->90 92 Modifies existing user documents (likely ransomware behavior) 15->92 19 svchost.exe 4 15->19 injected 21 sihost.exe 2 15->21 injected 23 svchost.exe 15->23 injected signatures7 process8 process9 25 cmd.exe 19->25         started        27 cmd.exe 19->27         started        39 2 other processes 19->39 29 cmd.exe 1 21->29         started        31 cmd.exe 21->31         started        41 2 other processes 21->41 33 cmd.exe 23->33         started        35 cmd.exe 23->35         started        37 regsvr32.exe 23->37         started        process10 43 fodhelper.exe 25->43         started        46 conhost.exe 25->46         started        56 2 other processes 27->56 48 fodhelper.exe 12 29->48         started        50 conhost.exe 29->50         started        52 fodhelper.exe 12 31->52         started        54 conhost.exe 31->54         started        58 2 other processes 33->58 60 2 other processes 35->60 dnsIp11 84 192.168.2.1 unknown unknown 43->84 62 regsvr32.exe 43->62         started        64 regsvr32.exe 48->64         started        66 regsvr32.exe 52->66         started        68 regsvr32.exe 56->68         started        70 regsvr32.exe 58->70         started        72 regsvr32.exe 60->72         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee/
Threat name:
Win64.Ransomware.Magni
Create hunting rule
Status:
Malicious
First seen:
2022-05-09 15:33:07 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
5 of 41 (12.20%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Magniber
20d5c6c663892a91c9e97e45d22ee867f9a024528ea695fcefa40cd85ca361be
Magniber
52ee17f3c365066c1292092999bbabc6b49e7c16a68af634206ce093afabc719
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
d40c08e8f927017c98c6856c46c1d0c13184261ec34c4cfc3cad1cf91834897a
Magniber
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
Magniber
f146844c73fce32362a12c1e478ffbb1d04d8168ca23bb1e3cb681ed5cb65903
Magniber
f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6
Magniber
+ 33 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/220509-sy6mhagedn/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Modifies extensions of user files
Deletes shadow copies
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/50e138707895/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments