MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5e2367c794d63afa3ca19321a703d3b1cc974bf8bfdbc26bf01b1b741a189de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Banload


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5e2367c794d63afa3ca19321a703d3b1cc974bf8bfdbc26bf01b1b741a189de1
SHA3-384 hash: ea350b8f3801200ddea07dcf15a93d379abf447fd35953a056fd62f448945c0b055a3cfab04ca57ff8a49144e4f388e0
SHA1 hash: abdd392e513e7e5b51fe4d507a1612512279fb88
MD5 hash: 68d375c0d761ee856d4d76193a804ca4
humanhash: hotel-utah-charlie-wyoming
File name:P971fL2tkpuftg pozcqu.msi
Download: download sample
Signature Banload
Create hunting rule
File size:4'063'232 bytes
First seen:2022-04-06 17:03:25 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:JAY5AxIFrBvf/jMkQ0WWCowEUKIFrBvf/jMkQ0WWCowEUFIFrBvf/jMkQ0WWCowH:JbFrBv/QbWCoyFrBv/QbWCohFrBv/Qbw
Threatray 509 similar samples on MalwareBazaar
TLSH T1F816238BF586CB3FC1EB8B71656BD33680BAE138019355676364B40D7DE2280A3D71E6
Reporter pr0xylife
Tags:Banload msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
588
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/261463/
Detection(s):
SecuriteInfo.com.RDMK.cmRtazpKxKzi0pVLtXUmAmezzdjf.17904.UNOFFICIAL
Create hunting rule

ditekSHen.MALWARE.Win.Ransomware.Epsilon.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-679.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-1914.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
80%
Tags:
remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/624dc810aa7e43c6a6c38aa8/reports/84927b8a-a061-42ed-9ca9-8350075eb3e8/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/5e2367c794d63afa3ca19321a703d3b1cc974bf8bfdbc26bf01b1b741a189de1
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/971703
Signature
May check the online IP address of the machine
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 604197 Sample: P971fL2tkpuftg pozcqu.msi Startdate: 06/04/2022 Architecture: WINDOWS Score: 52 28 www.photoonweb.com 2->28 30 www-google-analytics.l.google.com 2->30 32 12 other IPs or domains 2->32 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 May check the online IP address of the machine 2->38 9 msiexec.exe 3 6 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 22 C:\Windows\Installer\MSI1A0B.tmp, PE32 9->22 dropped 24 C:\Windows\Installer\MSI16AF.tmp, PE32 9->24 dropped 14 msiexec.exe 1 5 9->14         started        process6 dnsIp7 34 ec2-44-202-229-15.compute-1.amazonaws.com 44.202.229.15, 49763, 80 AMAZON-AESUS United States 14->34 26 C:\Users\user\MSVidCtl\drvstore.exe, PE32 14->26 dropped 18 drvstore.exe 451 14->18         started        file8 process9 process10 20 conhost.exe 18->20         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5e2367c794d63afa3ca19321a703d3b1cc974bf8bfdbc26bf01b1b741a189de1/
Threat name:
Script-JS.Trojan.Bomber
Create hunting rule
Status:
Malicious
First seen:
2022-04-06 17:04:20 UTC
File Type:
Binary (Archive)
Extracted files:
563
AV detection:
8 of 42 (19.05%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lyrwpr4u2y5pupfbsmq2oa6twhgjos7yx7n4e27qdmnxigqytxqq._file
Verdict:
malicious
Similar samples:
1a31b1a45f4549fca08fa4a8ae0f4ee1120dae090cb624d203058093f8b6d0d2
Banload
1dc5c4d45bddb494f88e347f3edcd53d23ccbdbe7209de6d5f2a34b34f3f4e20
Banload
36bd5616fec9430c14a3b7c80af13d7ed24cf506e4e0a20cd6fd3e7d99221f16
Banload
4174273461be09741fa884000332f703451d3e487d37c78128018b224276d35f
Banload
4ed66ad6e2ca374221ed660177521dc2c4db9492a048c52410931b86a66cc837
Banload
6d14bb5ee2d7b2ecb28530324e7452a48476c79f7ded0a5727035d74744e5772
Banload
accb6b7f0cf949b35ce48fc284ab1b2c400cc1586f7643847583eba28084a86b
Banload
ce098e5045ee25cc93a219f3bbd1bcd3bcf949bcf09560ee898996c9753c0996
Banload
+ 499 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220406-vk9hcaffa8/
Behaviour
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/261463/

Comments