MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6965870fb19aee4b5ee86efc9ee4d23de7934bc59c9df173f4598bc129345955. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 6

Intelligence 6 IOCs YARA 1 File information Comments

SHA256 hash:	6965870fb19aee4b5ee86efc9ee4d23de7934bc59c9df173f4598bc129345955
SHA3-384 hash:	a5d0e829536aa5998272b59ec88d7c9545f99ee71d77b67dabf6899cc4faedc11fc233df596ba5752847a3e829a0dde6
SHA1 hash:	3a00822d64f00c74a472977b4fa4816002cc4a6a
MD5 hash:	47d8e01fddbeb5fa4f998e7f318968b2
humanhash:	artist-pluto-lima-winner
File name:	pix2021.TZNZPOYJNN.msi
Download:	download sample
File size:	2'875'392 bytes
First seen:	2021-11-22 17:29:18 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	49152:ryjuY5AabfFIjKFiguez7buCnIrgmzu6kKWtMpL58ALkdyEKxSnzKxf5j2FVZzCp:jY5AabfAKFpu27Cbrg+kKWYF8/yEQSYv
Threatray	280 similar samples on MalwareBazaar
TLSH	T19FD5230531C41B36E5EE02B5A397D335A665F8705126C82BD2AA194E2DF27E0E3B33F5
Reporter	Anonymous
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL

Sanesecurity.Malware.26863.JsHeur.UNOFFICIAL

PUA.Win.Packer.Upx-4

Sanesecurity.Shelter.Malware.BadMacro.PShell.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

powershell

Link:

https://www.filescan.io/uploads/619bd3a494a88037d2fec726/reports/392936e3-dab1-4768-8334-6f941213450e/overview

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/6965870fb19aee4b5ee86efc9ee4d23de7934bc59c9df173f4598bc129345955

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/894080

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/6965870fb19aee4b5ee86efc9ee4d23de7934bc59c9df173f4598bc129345955/

Threat name:

Script-JS.Downloader.BanLoad

Status:

Malicious

First seen:

2021-11-22 17:08:14 UTC

File Type:

Binary (Archive)

Extracted files:

935

AV detection:

12 of 28 (42.86%)

Threat level:

3/5

Verdict:

malicious

15f01cf888792f4f3c3124b6e65a615342c7c8b9788941947f8131f3786a499c

22bc517faf65eb9188a6e53d1e806f7314477d5c8e96839b73562c37b995a9a0

34d14ab08b41d288019d4966b337e5ee13d07cdb652dabf51834bac44c0052f8

8f983b92dea0643ef2b8411e5506def0c0235b1addd4daa9d13e59ff4f88a1ef

9f0d3b49b6eea3eff22dce2838b10e8e3b03c45f31212f8d26ae31cd576f1104

a2e91b7c66c941e2eb6ae1caff44906fec1b25153e036bd699708cf6204081e9

acd0ae8b296ee3fd7d01547b5220877770538fb76144b237f81377e3241726b3

acda9ae5a6c865eb3291e1bb7cc41e6b0f86a12e180c984a2f4fcb302505021b

c55d93f8c25e4ed3886cc125f129ded48bf781990a143cbe5996f38fd2ab7fc7

+ 270 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/211122-v25kqagecq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/6965870fb19aee4b5ee86efc9ee4d23de7934bc59c9df173f4598bc129345955

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/208300/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample