MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71
SHA3-384 hash: 0538553f0a899cd89100e23713b908946e675b4d1291f305d950126c114d2e884327c6423af151d564cb7d919ad5afe9
SHA1 hash: b95119612d2c0cb723a1af080f150aae3fe9d01b
MD5 hash: b6588f4ffbe85375104c32b4ba18dc7b
humanhash: september-three-failed-sixteen
File name:PO_2314.msi
Download: download sample
File size:2'605'056 bytes
First seen:2022-04-21 08:32:31 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:6pdSu3DxOyjE98C/z0/Vy1vWU26fx+gnPx95aDu2RdAhZvCIsplsh:6pBzxBG8szCyxY6fXPx9MDrMZhsch
TLSH T129C523A23AD4C136D29A013645BACB6636657C350725D4CFBBE0796CAE30AD3EC79343
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter TeamDreier
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
179
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/265379/
Detection(s):
SecuriteInfo.com.W32.AIDetect.malware2.30375.32212.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cmd.exe expand.exe fingerprint packed shell32.dll
Link:
https://www.filescan.io/uploads/626116c5eab80a7a6c524b09/reports/69b58a5f-7907-40dc-b835-e751f7f3ad3e/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/980544
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 613038 Sample: PO_2314.msi Startdate: 21/04/2022 Architecture: WINDOWS Score: 64 43 Multi AV Scanner detection for dropped file 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 PE file has nameless sections 2->47 8 msiexec.exe 3 14 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 37 C:\Windows\Installer\MSI33EB.tmp, PE32 8->37 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 expand.exe 8 13->15         started        18 sXVD4TtTsoaoLjSU.exe 1 13->18         started        21 icacls.exe 1 13->21         started        23 2 other processes 13->23 file7 39 C:\Users\user\...\sXVD4TtTsoaoLjSU.exe (copy), PE32 15->39 dropped 41 C:\...\e5b1bbe69d6bed42831065eaa5b14d73.tmp, PE32 15->41 dropped 25 conhost.exe 15->25         started        49 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 18->49 27 WerFault.exe 23 9 18->27         started        29 conhost.exe 18->29         started        31 conhost.exe 21->31         started        33 conhost.exe 23->33         started        35 conhost.exe 23->35         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-04-20 23:15:17 UTC
File Type:
Binary (Archive)
Extracted files:
37
AV detection:
6 of 41 (14.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lksejglfn2mhcuxjzbjjuxa6e3vgol4ishp5f53ssmjlxqj3bjyq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/220421-kfwqksadfq/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Program crash
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Microsoft Software Installer (MSI) msi 5aa44499656e987152e9c8529a5c1e26ea672f8891dfd2f7729312bbc13b0a71

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/265379/

Comments