MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52b5dfef18f8d33b23f49435084aade5146a8e7096801ad9526b731d374a6c6f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 52b5dfef18f8d33b23f49435084aade5146a8e7096801ad9526b731d374a6c6f
SHA3-384 hash: d5be37e97c7696770519f1cb41bbc402aacb5b55fcc66c34332ae6864605b13627422cc9daea2fbd3e3d8991f025526f
SHA1 hash: 37d50c37a5583fcb6c0459a8709c1f417d1232c4
MD5 hash: 22106c1e26e9e9f7df3461d70339f970
humanhash: three-london-golf-cold
File name:BL.373769.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:2'863'616 bytes
First seen:2022-06-21 10:43:29 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:gkqbsANmYFMSaM+jwvU/PbOp4yvbfAZJH4crC+xjGuJc4Y6v4seZxe4q1/gqF:8bsA8Yv2wvU/PbOp4yzf0H1rMiVp4tez
TLSH T146D52303B7C48BB1E5DB02315A4FC32986765CA04662C917635E6B2D2DF3AB0A7B33D5
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter pr0xylife
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/281934/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
shell32.dll
Link:
https://www.filescan.io/uploads/62b1a137d37f6643509045c8/reports/16ed79db-41a6-442a-a223-5f7409b55bab/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/52b5dfef18f8d33b23f49435084aade5146a8e7096801ad9526b731d374a6c6f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1017006
Signature
Detected VMProtect packer
Drops PE files to the document folder of the user
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/52b5dfef18f8d33b23f49435084aade5146a8e7096801ad9526b731d374a6c6f/
Threat name:
Document-HTML.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2022-06-21 10:44:31 UTC
File Type:
Binary (Archive)
Extracted files:
934
AV detection:
9 of 40 (22.50%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kk2573yy7djtwi7usq2qqsvn4ukgvdtqs2abvwksnnzr2n2knrxq._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence vmprotect
Link:
https://tria.ge/reports/220621-mss7bsdaep/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
VMProtect packed file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/52b5dfef18f8/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/52b5dfef18f8d33b23f49435084aade5146a8e7096801ad9526b731d374a6c6f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:exploit_any_poppopret
Create hunting rule
Author:Jeff White [karttoon@gmail.com] @noottrak
Description:Identify POP -> POP -> RET opcodes for quick ROP Gadget creation in target binaries.
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/281934/

Comments