MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6
SHA3-384 hash: 10a9009b01be630dd31d8ce88b34fb2606cf05ae45c58a6614855b7a9af20bac6fa09edf072f0b00eea6e26c1e86a3cc
SHA1 hash: 60dce95145ab22b64e73586cf52a8f2e2e8a2e2e
MD5 hash: d71f1c7acb3a6956566b882cad135f86
humanhash: table-idaho-pennsylvania-double
File name:Setup.msi
Download: download sample
File size:4'788'736 bytes
First seen:2024-01-02 01:37:35 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:26QFBeWK9YwPhH9D+g5jvum36W547vM9kgMV3NSmzoDWM5LnbE53ChpP9gY0dB0l:2VmD+nmq3AW+mP0a9H23Xs6
TLSH T14F26BF217D9EC136E63F06319A59EA2B953D6DE20BB104EB73E4BC5A16709C25332F43
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter ajmeese7
Tags:msi signed

Code Signing Certificate

Organisation:Dragon Boss Solutions LLC
Issuer:GlobalSign GCC R45 CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-04T15:11:35Z
Valid to:2026-12-04T15:11:35Z
Serial number: 7375c0d80a6d42c30f864a9e
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ffcf7a0a63ae106ced1e6f36d6a7065427565c7e0d931a17a01df398b16351d9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
US US
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm control evasive fingerprint lolbin msiexec remote shell32
Link:
https://www.filescan.io/uploads/659368fbf4b6e5e1636430d7/reports/89997895-0b03-40b9-b9fd-401cb0b7c3c1/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1368639
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Downloads suspicious files via Chrome
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Suspicious execution chain found
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1368639 Sample: Setup.msi Startdate: 02/01/2024 Architecture: WINDOWS Score: 96 105 www.artificius.com 2->105 107 sni1gl.wpc.nucdn.net 2->107 109 5 other IPs or domains 2->109 129 Antivirus detection for URL or domain 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 Multi AV Scanner detection for submitted file 2->133 135 3 other signatures 2->135 10 msiexec.exe 17 35 2->10         started        13 msedge.exe 2->13         started        15 msiexec.exe 16 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 83 C:\...\ArtificiusUpdater.exe, PE32 10->83 dropped 85 C:\Windows\Installer\6c40d4.msi, Composite 10->85 dropped 87 C:\Windows\Installer\MSIC6B8.tmp, PE32 10->87 dropped 95 11 other files (none is malicious) 10->95 dropped 20 msiexec.exe 45 10->20         started        23 msiexec.exe 1 10->23         started        26 msiexec.exe 2 9 10->26         started        89 C:\Users\user\...\service_worker_bin_prod.js, ASCII 13->89 dropped 91 C:\Users\user\...\page_embed_script.js, ASCII 13->91 dropped 93 C:\Users\user\...\offscreendocument_main.js, ASCII 13->93 dropped 97 6 other malicious files 13->97 dropped 28 msedge.exe 13->28         started        31 msedge.exe 13->31         started        99 11 other files (none is malicious) 15->99 dropped 101 artificiusbrowser.com 3.33.130.190, 443, 49707 AMAZONEXPANSIONGB United States 17->101 103 127.0.0.1 unknown unknown 17->103 33 chrome.exe 17->33         started        35 chrome.exe 17->35         started        file6 process7 dnsIp8 73 C:\Program Files (x86)\...\scr47EA.ps1, Unicode 20->73 dropped 75 C:\Program Files (x86)\...\pss47FC.ps1, Unicode 20->75 dropped 37 powershell.exe 3 25 20->37         started        40 powershell.exe 13 20->40         started        43 powershell.exe 14 17 20->43         started        48 2 other processes 20->48 77 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 23->77 dropped 143 Bypasses PowerShell execution policy 23->143 46 powershell.exe 26->46         started        123 142.250.114.101, 443, 49737 GOOGLEUS United States 28->123 125 googlehosted.l.googleusercontent.com 142.250.115.132, 443, 49741 GOOGLEUS United States 28->125 127 8 other IPs or domains 28->127 file9 signatures10 process11 dnsIp12 139 Tries to harvest and steal browser information (history, passwords, etc) 37->139 50 chrome.exe 37->50         started        54 conhost.exe 37->54         started        79 C:\Users\user\AppData\Local\...\Preferences, JSON 40->79 dropped 56 conhost.exe 40->56         started        121 www.artificius.com 104.21.5.32, 443, 49708, 49709 CLOUDFLARENETUS United States 43->121 141 Powershell drops PE file 43->141 58 conhost.exe 43->58         started        81 C:\Users\user\AppData\Local\...\browser.data, PE32+ 46->81 dropped 60 conhost.exe 46->60         started        62 msedge.exe 48->62         started        64 conhost.exe 48->64         started        66 conhost.exe 48->66         started        file13 signatures14 process15 dnsIp16 111 192.168.2.5, 443, 49703, 49704 unknown unknown 50->111 113 239.255.255.250 unknown Reserved 50->113 137 Suspicious execution chain found 50->137 68 chrome.exe 50->68         started        71 msedge.exe 62->71         started        signatures17 process18 dnsIp19 115 www3.l.google.com 142.250.113.100, 443, 49723 GOOGLEUS United States 68->115 117 accounts.google.com 142.250.113.84, 443, 49720 GOOGLEUS United States 68->117 119 3 other IPs or domains 68->119
Score:
2%
Verdict:
Benign
File Type:
MSI
Link:
https://malprob.io/report/64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mtxrvvjjsefs7syh3qygjv42ncfwen6nvf5wqb2m3ky6ukrqetda._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240102-g663fsgcc2/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Program Files directory
Drops file in Windows directory
Drops file in System32 directory
Blocklisted process makes network request
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 64ef1ad529910b2fcb07dc3064d79a688b6237cda97b68074cdab1ea2a3024c6

(this sample)

  
Link
https://free.instantgreenapp.com/3/?mrddp=2&mrddv=437&mrddz=5117856&mrdd=659366277074620001d377e4&mrddr=765859948935783341
  
Delivery method
Distributed via web download

Comments