MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83
SHA3-384 hash: 7c47b55cdc97b0c535df2112c9405da32eaf2ddaa394703e13df899cb4d9c2c320809a752f8f35f339fa19a8250ea355
SHA1 hash: d9dfe18a29de5948845f135f45844bd68658b945
MD5 hash: b374d94b1056b98d603ebe65913fe349
humanhash: butter-mars-echo-lithium
File name:IM-vL5WWvBl.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:6'064'640 bytes
First seen:2022-03-18 14:35:06 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:VjlqYJACPfhnrGyMcslQoJzy8Yd/dBTKiX3xLWUB/UQVlv1pFIHYbFsuQUZt2sCN:3Pf1GnruGy8GB7X3xLl/Tz/FIInxFxv
Threatray 10 similar samples on MalwareBazaar
TLSH T157562322338BC63BD96D42B0352A864B1469FCA3473180D7B3C92D1EEDF14D16A79F96
Reporter James_inthe_box
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/252660/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
control.exe remote.exe shell32.dll update.exe
Link:
https://www.filescan.io/uploads/623498c1b94fb38cb4a3cb7b/reports/2d18a3aa-5637-4ab3-a587-4d31ab8b9ac4/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
expl
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/959597
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Drops VBS files to the startup folder
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 592081 Sample: IM-vL5WWvBl.msi Startdate: 18/03/2022 Architecture: WINDOWS Score: 84 41 Antivirus detection for URL or domain 2->41 43 Antivirus detection for dropped file 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 3 other signatures 2->47 7 msiexec.exe 14 34 2->7         started        10 wscript.exe 1 2->10         started        13 msiexec.exe 2 2->13         started        15 2 other processes 2->15 process3 dnsIp4 29 C:\Users\user\AppData\Roaming\...\Oleacc.dll, PE32 7->29 dropped 31 C:\Users\user\AppData\...\Corporativo.exe, PE32 7->31 dropped 33 C:\Windows\Installer\MSIDFFE.tmp, PE32 7->33 dropped 35 3 other files (none is malicious) 7->35 dropped 17 Corporativo.exe 1 4 7->17         started        21 msiexec.exe 7->21         started        39 192.168.2.1 unknown unknown 10->39 23 cmd.exe 1 10->23         started        file5 process6 dnsIp7 37 hotliksjfu.isa-hockeynut.com 52.161.4.23, 49759, 80 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 17->37 27 C:\Users\user\AppData\...\userawjosikaww.vbs, ASCII 17->27 dropped 25 conhost.exe 23->25         started        file8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83/
Threat name:
Win32.Infostealer.Javali
Create hunting rule
Status:
Malicious
First seen:
2022-03-18 14:34:26 UTC
File Type:
Binary (Archive)
Extracted files:
206
AV detection:
15 of 42 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mfgjoc5xo25noxl3pfeiuwi2lkmvjt6tqnmbojdm4vcn3nfb7wbq._file
Verdict:
malicious
Similar samples:
00a4124e4de3e2f91baf77afabf890b3e03a071919ef064dac2ffd6942fdc6e0
Metamorfo
11c0198a743ba47db257ed5283cab6a4806c640bc99e334b8c36ed3b2d3e668a
Metamorfo
179859ab41c030d7c6cadb1ffdb8354accf409c94c3367a6d0a6ff6e28ed5a67
Metamorfo
28ee91abd2a0efefab3b2e95ffe2ffaecd7ca0cf2a5bc5bf56b6810ba32eafb4
Metamorfo
77d1c06b1f52455505ad8e1af3d2182c13682dda7bda13185879c4c4a4018d04
Metamorfo
78dedaf861e8a8b88b1419aebf37a74be707f531dce0804f970c70f372b2a247
Metamorfo
7dc07a2115fb8669f57cff0ca2f08e0363810467f6fa4982bbefe44ddf515a94
Metamorfo
aee732049a8e5aacf18d9b558e8fdeb099d0a4ea83249af1919aee9d6015d08e
Metamorfo
bbc131fda4a9d5d10d774f609a121390bb56456f358420db95d35ef9760acad9
Metamorfo
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220318-rylfwsaed6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Drops startup file
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/614c970bb776bad75d7b79488a591a5a9954cfd3835817246ce544ddb4a1fd83

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/252660/

Comments