MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe
SHA3-384 hash: f28ddc83258a1cdea69a5847b5114af55dc148e2d7ca440ff520ccdaad5bb14814cbf6a68c5d237c3dcf727382abc4c6
SHA1 hash: fa9ff74bda081c02023980cea86fbfff461221cc
MD5 hash: 51f464325c2751dc9d945b9671b1e61f
humanhash: steak-cat-thirteen-oregon
File name:__Factura_26052022-UZISKTBWKICHIHVFNNMUPUPQEILBHW暝.msi
Download: download sample
Signature Ousaban
Create hunting rule
File size:5'832'704 bytes
First seen:2022-05-26 19:40:05 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:XO0+dsvAOjiIkkRF655V+QqGKfsS4ypwY1X6H6XLYDqNSBOQXssB5tnGYmA:X8dsvAOjiIkkRF65XGffYyaY1XcLcQXX
Threatray 26 similar samples on MalwareBazaar
TLSH T1A2468D16F280D13ED0A71A36993BD268993BBA712A26CC4B57F4494CCF396407A3F357
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter dodosec
Tags:banker msi ousaban


Avatar
dodo_sec
Malicious MSI downloaded from hxxps://spains2397.]s3.]sa-east-1.]amazonaws.]com/factura29038902380913280944.]html

Executes a downloader dll with export "sentanomeucolomuiesentalogo" to retrieve final malware payload

Intelligence

File Origin
# of uploads :
1
# of downloads :
426
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/274831/
Detection(s):
SecuriteInfo.com.Trojan.AgentSpy.68.19276.18114.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

SecuriteInfo.com.Variant.Tedy.106451.32630.3793.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
control.exe expand.exe hacktool remote.exe replace.exe update.exe
Link:
https://www.filescan.io/uploads/628fd7d2abd125235082a983/reports/318bf70d-fa8f-4c98-8d4e-19f6e7ea0f10/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
5 / 100
Link:
https://www.joesandbox.com/analysis/1002338
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe/
Threat name:
Win32.Trojan.Grandoreiro
Create hunting rule
Status:
Malicious
First seen:
2022-05-26 19:41:15 UTC
File Type:
Binary (Archive)
Extracted files:
121
AV detection:
20 of 26 (76.92%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kjzrnyz25q26gvzgj43memj34nzkodyx7bkrvjfy7huzmgjsbs7a._file
Verdict:
malicious
Similar samples:
0cffbd0a9a71d6dc4ccb63dbbfeef735b2c8bf9acdf1409f1cbdeed36ce0faf8
Ousaban
1116037d457d9126f16fc9529a4be482d374047f0e834614ae8292a631ed8aaa
Ousaban
91d59f63cc54cb23e9f711401b301975ca3d4bc8b2f44586427956dcd92abaa3
Ousaban
951c2f341e914601140aa9ead05895f6957d5cbfda80b81be99015d2be02d44f
Ousaban
9f27dace8e848c5957adb0686992fe7ce392cbc7f957116b13935d20e668f91b
Ousaban
b197522d218e972e8fe965032f47ec4e483b698709ac83640f1583feb5a67fb4
Ousaban
b9ed2e4b48b893d885a0c9a6763dda1ea19f63cbb5dc881186584d025f0b5531
Ousaban
c8c447eabc388282ef6ee8678cce4aa65557bf557a936109485648fd217baae8
Ousaban
d2205532e27cf8ae9dbc0a62fdf3fca598f5fa8f9cc948bec49df54b0b8a8cd6
Ousaban
e4a932eaaec97ff04b018060f31b800dbd9a56ca0ba2bbb300037be3c55ee507
Ousaban
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220526-yd3m1aech6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/527316e33aec/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Ousaban

Microsoft Software Installer (MSI) msi 527316e33aec35e357264f36c2313be372a70f17f8551aa4b8f9e99619320cbe

(this sample)

Ousaban

zip 85098e8d120d40daabb52c95dc0d459445be1f5d5c87511fa7280f8b7e97fc93

Ousaban

DLL dll b411d82b8476a30fec88093470dc790817b9c20064b47ddb3726a9a9e78ba70f

  
Dropping
SHA256 b411d82b8476a30fec88093470dc790817b9c20064b47ddb3726a9a9e78ba70f
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/274831/
  
Dropping
MD5 ff0f6e690642fdcdd8acafe3b09a179c

Comments