MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12
SHA3-384 hash: 2d2abac787a0e9d2fa3269e15292ba1cb198079ae12ddddf3e4a3383dc70452440aea3cf68ebd538574c6c212f8f89a1
SHA1 hash: e8dbec7dac0dabc537a6018d4a5f33577e22c179
MD5 hash: f40db283c4ac790b963ee6fff60777e2
humanhash: lion-kansas-michigan-robin
File name:andreblau.msi
Download: download sample
File size:2'655'232 bytes
First seen:2021-11-26 15:06:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:IR9YBoTjQgDA4NL1kYBqZVhQAeQliQggstwBjKBR1lZZz9xnvjkLYtRNgiDYFGJS:QYn4NLeYcSAprBjKjvXDQi7rGHaZ2G
Threatray 31 similar samples on MalwareBazaar
TLSH T1F2C5AE2239C6C532E97E41306969EB7A56FD7EB00B7284DB63D85A2E1E705C14332F63
Reporter rodrigopol
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-vm evasive fingerprint powershell
Link:
https://www.filescan.io/uploads/61a0f818b71ceed41531bb2e/reports/a24e804a-2f30-40bc-9228-413e274435e0/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/896824
Signature
Bypasses PowerShell execution policy
Command shell drops VBS files
Contains functionality to create processes via WMI
Creates files in alternative data streams (ADS)
Creates multiple autostart registry keys
Creates processes via WMI
Obfuscated command line found
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Suspicious Script Execution From Temp Folder
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 529298 Sample: andreblau.msi Startdate: 26/11/2021 Architecture: WINDOWS Score: 84 125 www.timeapi.org 2->125 127 www.linkedin.com 2->127 129 63 other IPs or domains 2->129 155 Contains functionality to create processes via WMI 2->155 157 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->157 159 Sigma detected: Suspicious Script Execution From Temp Folder 2->159 11 msiexec.exe 3 4 2->11         started        14 cmd.exe 2->14         started        17 cmd.exe 2->17         started        19 2 other processes 2->19 signatures3 process4 dnsIp5 103 C:\Windows\Installer\MSICEF.tmp, PE32 11->103 dropped 105 C:\Windows\Installer\MSI542.tmp, PE32 11->105 dropped 107 C:\Windows\Installer\MSI100D.tmp, PE32 11->107 dropped 22 msiexec.exe 8 11->22         started        26 msiexec.exe 8 11->26         started        171 Obfuscated command line found 14->171 28 cmd.exe 14->28         started        30 WMIC.exe 14->30         started        32 conhost.exe 14->32         started        34 cmd.exe 17->34         started        36 conhost.exe 17->36         started        38 WMIC.exe 17->38         started        131 1drv.ms 13.107.42.12, 443, 49766, 49822 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->131 133 onedrive.live.com 19->133 135 2 other IPs or domains 19->135 109 C:\desktop-ini\tmp\driver-ssd.cmd.ADS.prog, PE32 19->109 dropped 111 C:\Users\user\AppData\Local\...\MSIF50D.tmp, PE32 19->111 dropped 113 C:\Users\user\AppData\Local\...\MSIF181.tmp, PE32 19->113 dropped 115 6 other files (none is malicious) 19->115 dropped 173 Creates multiple autostart registry keys 19->173 40 cmd.exe 19->40         started        file6 signatures7 process8 file9 97 C:\Users\user\AppData\Local\...\scr2524.ps1, Little-endian 22->97 dropped 99 C:\Users\user\AppData\Local\...\pss25E1.ps1, Little-endian 22->99 dropped 161 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->161 163 Bypasses PowerShell execution policy 22->163 42 powershell.exe 18 30 22->42         started        47 powershell.exe 28 26->47         started        165 Obfuscated command line found 28->165 49 cmd.exe 28->49         started        51 find.exe 28->51         started        167 Creates processes via WMI 30->167 53 cmd.exe 34->53         started        55 find.exe 34->55         started        101 C:\desktop-ini\tmp\driver-ssd.cmd:prog, PE32 40->101 dropped 57 conhost.exe 40->57         started        59 chcp.com 40->59         started        signatures10 process11 dnsIp12 143 files.catbox.moe 107.160.74.131, 443, 49761, 49762 AS40676US United States 42->143 145 192.168.2.1 unknown unknown 42->145 147 de.catbox.moe 42->147 117 C:\desktop-ini\temp\glasses.cmd.ADS.prog, PE32 42->117 dropped 169 Powershell drops PE file 42->169 61 cmd.exe 4 42->61         started        65 cmd.exe 1 42->65         started        67 glasses.cmd:prog 42->67         started        70 conhost.exe 42->70         started        149 de.catbox.moe 47->149 72 cmd.exe 47->72         started        74 conhost.exe 47->74         started        file13 signatures14 process15 dnsIp16 119 C:\desktop-ini\~~.vbs, ASCII 61->119 dropped 121 C:\desktop-ini\temp\glasses.cmd:a3x, data 61->121 dropped 123 C:\desktop-ini\temp\glasses.cmd:prog, PE32 61->123 dropped 175 Obfuscated command line found 61->175 177 Creates files in alternative data streams (ADS) 61->177 179 Command shell drops VBS files 61->179 76 cscript.exe 1 61->76         started        78 conhost.exe 61->78         started        80 chcp.com 1 61->80         started        82 cmd.exe 1 65->82         started        85 WMIC.exe 1 65->85         started        87 conhost.exe 65->87         started        137 onedrive.live.com 67->137 139 files.catbox.moe 67->139 141 2 other IPs or domains 67->141 89 conhost.exe 72->89         started        91 chcp.com 72->91         started        file17 signatures18 process19 signatures20 151 Obfuscated command line found 82->151 93 cmd.exe 1 82->93         started        95 find.exe 1 82->95         started        153 Creates processes via WMI 85->153 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12/
Verdict:
unknown
Similar samples:
0389399febe43d7b710c5eec28906fc27faa9a62d6b21b23177ef9628222dada
21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129
3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239
368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a
39067a6a8ac06d60189b34afbb9acd73e8e33aba91653c39a037c2f78f972f29
4f2ada4fba44e50c0c23762724b98dcd98d54340ace84ea1493358987c3dfebd
9e2a79f4a93a4f337997bf6f5826dadfa703ee52cafd9303c926abb7024ce590
a00f40db9ba7257068bb17d72e399d6a6651c2d459dbe026537131ff9baef6eb
c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4
e9200c8a5ccb0bca2e40d3f618b056a552fbd7247396904a0d8ea70164fee886
+ 21 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro persistence xlm
Link:
https://tria.ge/reports/211126-sha6nagdc4/
Behaviour
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in System32 directory
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Suspicious Office macro
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments