MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
SHA3-384 hash: 1187f4b09bfc8f27a2e391161e94f8e577a2e9d978509a59fa49fde12cc163694f21d0e4935ab349a3c17d8b2f69d861
SHA1 hash: 6d44fbbb453b948c1708b1abc56a519454b04a97
MD5 hash: bd52ef8641f84cb1a418f192f86b4554
humanhash: wolfram-september-pasta-yellow
File name:Win10-11_System_Upgrade_Software.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:98'304 bytes
First seen:2022-05-12 06:04:39 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:rvce+gM9yCmiQO/JcL7PZZ73jHDhZ9BD7f7N77j/35NlDRPBLhHddHjzjF5DtDrY:rvcyMDBBLx
Threatray 44 similar samples on MalwareBazaar
TLSH T11EA35F7D7620ADE8C1BA633757EC9DB299316C6D0A919D0B2001734C397CC7B1B6CAB6
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware signed

Code Signing Certificate

Organisation:Foresee Consulting Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-24T00:00:00Z
Valid to:2022-11-23T23:59:59Z
Serial number: 0bc0f18da36702e302db170d91dc9202
Intelligence: 37 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 904c0e30b8cb190bc90530f5c34f10394bebb4098701c0f2f6f1b33d3aab86a9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
323
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269829/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
packed packed
Link:
https://www.filescan.io/uploads/627ca3b289dc6403e7771e34/reports/2cd55443-bb48-41e5-9af8-a68062e5a852/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/992388
Signature
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624885 Sample: Win10-11_System_Upgrade_Sof... Startdate: 12/05/2022 Architecture: WINDOWS Score: 80 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 73 C:\Windows\Installer\MSI32D9.tmp, PE32+ 10->73 dropped 15 msiexec.exe 3 10->15         started        process5 file6 75 C:\Users\user\Desktop\...\CURQNKVOIX.xlsx, data 15->75 dropped 77 C:\Users\user\Desktop\...\RAYHIWGKDI.pdf, data 15->77 dropped 79 C:\Users\user\Desktop\...79IKHQAIQAU.xlsx, data 15->79 dropped 81 2 other files (none is malicious) 15->81 dropped 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Creates a thread in another existing process (thread injection) 15->87 89 Modifies existing user documents (likely ransomware behavior) 15->89 19 sihost.exe 2 15->19 injected 21 svchost.exe 4 15->21 injected 23 svchost.exe 15->23 injected signatures7 process8 process9 25 cmd.exe 1 19->25         started        27 cmd.exe 19->27         started        29 regsvr32.exe 2 19->29         started        31 cmd.exe 21->31         started        33 cmd.exe 21->33         started        35 regsvr32.exe 21->35         started        37 cmd.exe 23->37         started        39 cmd.exe 23->39         started        41 regsvr32.exe 23->41         started        process10 43 fodhelper.exe 1 15 25->43         started        45 conhost.exe 25->45         started        47 fodhelper.exe 12 27->47         started        49 conhost.exe 27->49         started        55 2 other processes 31->55 57 2 other processes 33->57 51 fodhelper.exe 12 37->51         started        53 conhost.exe 37->53         started        59 2 other processes 39->59 process11 61 regsvr32.exe 43->61         started        63 regsvr32.exe 47->63         started        65 regsvr32.exe 51->65         started        67 regsvr32.exe 55->67         started        69 regsvr32.exe 57->69         started        71 regsvr32.exe 59->71         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c/
Threat name:
Win64.Ransomware.Magniber
Create hunting rule
Status:
Suspicious
First seen:
2022-05-03 22:30:46 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
16 of 41 (39.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kqtpvndcgsyseebngr6c2ipxj7shzzp2xsig22zvh2gfze72imga._file
Verdict:
malicious
Similar samples:
109465a5f8aa3c322d7d63922acb1cbd66579840c9053e2bc641f9c26b439bb3
Magniber
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
52ee17f3c365066c1292092999bbabc6b49e7c16a68af634206ce093afabc719
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
f146844c73fce32362a12c1e478ffbb1d04d8168ca23bb1e3cb681ed5cb65903
Magniber
f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6
Magniber
fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Magniber
+ 34 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220512-gs6vjaaff7/
Behaviour
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Enumerates connected drives
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269829/

Comments