MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 6 File information Comments

SHA256 hash:	556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08
SHA3-384 hash:	33005d258c65c24c2854756a2049f2f8ed9ef8f6a565ba2f258cc7e7aa0f86c75c15882357090016ee6ced1a2c01e1cd
SHA1 hash:	a5506ef0b0998abcb935633c8b1ebeddbc324769
MD5 hash:	daba6863275095fb07eece679c8bf098
humanhash:	shade-whiskey-tennessee-west
File name:	main.msi
Download:	download sample
File size:	1'565'184 bytes
First seen:	2023-09-22 16:21:56 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	24576:QJcLlYOINVUuD6yS1wGbXpsHzCsalfLK/hVfAmDX8qrJrKPyVqmY1:vLlYO+UuD6ySaGbX+H9a9+hVfA4X84po
Threatray	17 similar samples on MalwareBazaar
TLSH	T1EF758C20769AC036D47E01B02E6DD7AB55397E700BB644EB63C86E2F1AB59C11332F67
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	JAMESWT_WT
Tags:	3AC231FBAD7719E54A msi signed

Code Signing Certificate

Organisation:	Photo and Fax viewer
Issuer:	Photo and Fax viewer
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-11-23T08:44:29Z
Valid to:	2022-11-23T09:04:29Z
Serial number:	555f20a01d9d01924ed7387ceac347b2
Intelligence:	2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	677c54f470101e83033e017e9f60bbf1b0f9a813cdf6b7bbaadc2bb1888bd415
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/450662/

Verdict:

No Threat

Threat level:

2/10

Confidence:

100%

Tags:

control greyware lolbin msiexec remote shell32

Link:

https://www.filescan.io/uploads/650dbf2bac6222a2be15450e/reports/20358be0-9e5f-4fb1-a29e-b5269fa3d96a/overview

Verdict:

Suspicious

Labled as:

Malware

Link:

https://www.hybrid-analysis.com/sample/556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

n/a

Detection:

clean

Classification:

n/a

Score:

5 / 100

Link:

https://www.joesandbox.com/analysis/1313029

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kvvvdogc4jiwenjxeyu5cwgwuehbdzh4xohe7jt2h5nfuveen4ea._file

Verdict:

unknown

28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4

2f78b3ec4ec0dbe5b189236717c91a040d62119dc06ab9bf70a3a1210ab00777

3a8a863262c6ec275713adb6a29131487d7986b375fafe4c797ef58b5c8f6d69

5428dbedf8e4476b2ba746ddbcde0b1104da52a4be9f64e4be0e95102fcc7f12

7f6a22cc0e0b5ee908e631cfd8b4d0a4613109b97c5df7cf91f755099330fc5c

b11f117050ba7d475909659b8b5364ca134942bddfc08dbabe3d4c013c1a137c

bec49d96f0b6db2ba056eb7402bcbd812296545ee6524761ea4c3bb16f5e0c47

ef1f9cd3dcf5046fa45acfb0b027952a440ce6634c04b35b63e38d51bac65649

f70b2a865bd89d510130072aa8036d8a4d19afda516a4b8124a14d833aa8f006

+ 7 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230922-tt757sbb57/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.55

Link:

https://yomi.yoroi.company/submissions/556b51b8c2e2516235372629d158d6a10e11e4fcbb8e4fa67a3f5a5a54846f08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	DebuggerCheck__API Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	DebuggerCheck__QueryInfo Create hunting rule
Reference:	https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

Rule name:	maldoc_find_kernel32_base_method_1 Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	maldoc_OLE_file_magic_number Create hunting rule
Author:	Didier Stevens (https://DidierStevens.com)

Rule name:	MD5_Constants Create hunting rule
Author:	phoul (@phoul)
Description:	Look for MD5 constants

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/450662/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample