MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756
SHA3-384 hash: e261dd0a94d1c17632471a6a9b1d96d93dd5d2b74f1653ec81b539ff6580fb3f4fe678990e4391400b27a700f25306c0
SHA1 hash: 5d6dd6933f00e353cfdc7acc5c8912b8e18883ef
MD5 hash: 3602097cf5cba3137189204a48486e33
humanhash: lion-louisiana-summer-colorado
File name:ExodusSetup.msi
Download: download sample
File size:7'422'976 bytes
First seen:2022-12-28 10:49:20 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:lYKMV396ADAfwrtyc4veHjPMNa5tnFGKgfs+GaxWF+7sEsq+VDt+O/aidMw7K7xi:Qy9eH9536sEn7IVYO/aTh7jx/8pQe
Threatray 287 similar samples on MalwareBazaar
TLSH T1997601227586C236EA7F43302969DB3A51F97EE03B7344DB63D8992E1E309C14271F66
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/63ac1f5c0fdf1633326c56f5/reports/0f502e27-c7b9-4cb6-aa8e-6e8a1257e32f/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
30 / 100
Link:
https://www.joesandbox.com/analysis/1142046
Signature
Bypasses PowerShell execution policy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 774776 Sample: ExodusSetup.msi Startdate: 28/12/2022 Architecture: WINDOWS Score: 30 7 msiexec.exe 3 17 2->7         started        10 msiexec.exe 12 2->10         started        file3 23 C:\Windows\Installer\MSIE4BC.tmp, PE32 7->23 dropped 25 C:\Windows\Installer\MSIE22A.tmp, PE32 7->25 dropped 27 C:\Windows\Installer\MSIE092.tmp, PE32 7->27 dropped 12 msiexec.exe 8 7->12         started        15 msiexec.exe 7->15         started        29 C:\Users\user\AppData\Local\...\MSI9874.tmp, PE32 10->29 dropped 31 C:\Users\user\AppData\Local\...\MSI97A8.tmp, PE32 10->31 dropped 33 C:\Users\user\AppData\Local\...\MSI96AD.tmp, PE32 10->33 dropped 35 4 other files (none is malicious) 10->35 dropped process4 file5 37 C:\Users\user\AppData\Local\...\scrE547.ps1, Unicode 12->37 dropped 39 C:\Users\user\AppData\Local\...\pssE549.ps1, Unicode 12->39 dropped 18 powershell.exe 15 18 12->18         started        45 Bypasses PowerShell execution policy 15->45 signatures6 process7 dnsIp8 41 huggingface.co 54.144.222.129, 443, 49698 AMAZON-AESUS United States 18->41 43 192.168.2.1 unknown unknown 18->43 21 conhost.exe 18->21         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lci7dzr3yr5cd467g5ijr3k6dvjcmdnixczbghxzzppoogfy25la._file
Verdict:
unknown
Similar samples:
23179a9183cb0c0d3e10bfbf6edd5b1d92244ea1ae3120bb008ac09cea59b217
635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3
72a5b592e34ec6de2c053988a7ce3218ee2249aae192f3c2056ab51c17c86d5d
968540c083474982744f85646c34a3abf7299479e1156904691820d0d1c288ed
99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418
9e2e6fe4472e5e0e7d4a9faf6eb9798fb72cf632a385a7c77528fb49a3931f5f
a519aea7bbd70ca7c031db95b52bab0d6c416ae5038c12b3e66d85b84cf7652a
b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a
c903275b644ee2531647ae6e908f6429f60654c74307c9db5dc6d066d6099d3b
df2f7dee20fb4b16fd8dbd026583c9669c60d772c0cb9b22bc0ef51bba45e69d
+ 277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/221228-mw9cqadc7s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments