MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306
SHA3-384 hash:	8a2bbf2db2c96938ae380fccc61e209829c723d7995e3526c359fb757f72e28d83d5b60285da82110fcbc29c44ca8b3e
SHA1 hash:	a2c9403bd3c9482cf666bfef2261e0625d1b5132
MD5 hash:	7c07a45d87cc4651a1fd84ec84a26305
humanhash:	vermont-comet-cola-speaker
File name:	4_2342234575679328584.msi
Download:	download sample
File size:	272'896 bytes
First seen:	2021-03-11 13:52:19 UTC
Last seen:	2021-03-11 14:51:38 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	3072:zTygYXkj7q0vTYDryO1nnlGwU6ij4qpXqnnDibAJBVkA96Y5AH3DyPL:z9ixGwTqp4nwEWY5AH3D
Threatray	29 similar samples on MalwareBazaar
TLSH	6A448D0672CB4779E8E60331579BC312DB76EC748223852B568A760E2DF1594F6A33F2
Reporter	JAMESWT_WT
Tags:	Loader spy Vadokrist

Intelligence

File Origin

# of uploads :

2

# of downloads :

172

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/123808/

Detection(s):

SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL

MiscreantPunch.EvilMacro.XMLSPLICE.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306/

Threat name:

Document-HTML.Exploit.Heuristic

Status:

Malicious

First seen:

2021-03-11 12:03:06 UTC

File Type:

Binary (Archive)

Extracted files:

51

AV detection:

5 of 46 (10.87%)

Threat level:

2/5

Verdict:

malicious

Similar samples:

1324b9aeace50c4bce3210f3fb553dfab6a8bc3efef016b8d186ca3ebc2f0dc8

212301549b3dbfa54f2271e2b1a08b00017130ef63aa3efa4fd65f3d6cf20d5d

222e404e018c17e02a05cdf15699992894593b76b1372ec300981ddb38228cde

3c02cff7aa1784336ec96fce16cac267c812ce98ab6a7497c8b7f8c44c54a1e9

9f0d3b49b6eea3eff22dce2838b10e8e3b03c45f31212f8d26ae31cd576f1104

a4a2751f488947d451e6051a517e67f98b8c3ed75aae2ca6f3319ef3f2b797f9

acd0ae8b296ee3fd7d01547b5220877770538fb76144b237f81377e3241726b3

b171d7cebed4d9ba4e5a119286ad18d0a6460155dd2be2af522739f0549ca0c8

c55d93f8c25e4ed3886cc125f129ded48bf781990a143cbe5996f38fd2ab7fc7

f7be1623b907e2cc0475ac788eed965320bffc3ab084f74e249de9c46ecc5615

+ 19 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

bootkit macro persistence ransomware xlm

Link:

https://tria.ge/reports/210311-7flnh1jr92/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Program Files directory

Drops file in Windows directory

Adds Run key to start application

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Modifies WinLogon to allow AutoLogon

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/53cacd3f0415f660597b5636056c0303fb9559ce5a8d9197930ef94c273be306

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/123808/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample