MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146
SHA3-384 hash: a3174a179611816f6e74a9029af77c20ec1d605aa5c8eb16651b6a3ca4df3581be6521703febac5c39e8c4447209e81f
SHA1 hash: 6148bb7c88779e7063c1a282379c0122e0c78c62
MD5 hash: aa129b811cb2fd36f60caa9bfbbdf73c
humanhash: floor-fruit-lactose-oklahoma
File name:6148BB7C88779E7063C1A282379C0122E0C78C62.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:12'333'056 bytes
First seen:2022-06-01 13:18:15 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 6144:tLRTlV2trJ8NxbvhDtNLhNNHNjbxxzH1hPVh1FjbxtltFPlf99tTdPfHt9rHBHxB:pwrJQ
Threatray 58 similar samples on MalwareBazaar
TLSH T1B3C68211B1A62FADCADB3D7B94659FA08118DCB0714CD43633F97B04D6B362D09F2A92
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
395
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276090/
Detection(s):
SecuriteInfo.com.Trojan.Siggen17.55577.18373.11244.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1005066
Signature
Creates a thread in another existing process (thread injection)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Maps a DLL or memory area into another process
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses bcdedit to modify the Windows boot settings
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637582 Sample: U92eXqrjTa.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 92 111 Multi AV Scanner detection for dropped file 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 Deletes shadow drive data (may be related to ransomware) 2->115 12 msiexec.exe 71 29 2->12         started        15 wbengine.exe 2->15         started        18 msiexec.exe 3 2->18         started        20 2 other processes 2->20 process3 file4 107 C:\Windows\Installer\MSI9157.tmp, PE32+ 12->107 dropped 22 msiexec.exe 2 12->22         started        141 Creates files inside the volume driver (system volume information) 15->141 signatures5 process6 file7 99 C:\Users\user\Desktop\...\QNCYCDFIJJ.pdf, data 22->99 dropped 101 C:\Users\user\Desktop\...101EBFQQYWPS.docx, data 22->101 dropped 103 C:\Users\user\Desktop103EBFQQYWPS.pdf, data 22->103 dropped 105 3 other files (none is malicious) 22->105 dropped 133 Modifies the context of a thread in another process (thread injection) 22->133 135 Maps a DLL or memory area into another process 22->135 137 Creates a thread in another existing process (thread injection) 22->137 139 Modifies existing user documents (likely ransomware behavior) 22->139 26 svchost.exe 22->26 injected 28 sihost.exe 2 22->28 injected 30 svchost.exe 2 22->30 injected signatures8 process9 process10 32 cmd.exe 26->32         started        34 cmd.exe 26->34         started        36 regsvr32.exe 26->36         started        38 regsvr32.exe 2 28->38         started        41 cmd.exe 28->41         started        43 cmd.exe 1 28->43         started        45 cmd.exe 30->45         started        47 cmd.exe 30->47         started        49 regsvr32.exe 30->49         started        signatures11 51 fodhelper.exe 12 32->51         started        53 conhost.exe 32->53         started        64 2 other processes 34->64 117 May disable shadow drive data (uses vssadmin) 38->117 119 Deletes shadow drive data (may be related to ransomware) 38->119 121 Uses bcdedit to modify the Windows boot settings 38->121 123 Deletes the backup plan of Windows 38->123 66 3 other processes 41->66 55 fodhelper.exe 12 43->55         started        57 conhost.exe 43->57         started        59 fodhelper.exe 45->59         started        62 conhost.exe 45->62         started        68 2 other processes 47->68 process12 dnsIp13 70 regsvr32.exe 51->70         started        73 regsvr32.exe 55->73         started        109 192.168.2.1 unknown unknown 59->109 75 regsvr32.exe 59->75         started        77 regsvr32.exe 64->77         started        79 regsvr32.exe 66->79         started        81 regsvr32.exe 68->81         started        process14 signatures15 125 May disable shadow drive data (uses vssadmin) 70->125 127 Deletes shadow drive data (may be related to ransomware) 70->127 129 Uses bcdedit to modify the Windows boot settings 70->129 131 Deletes the backup plan of Windows 70->131 83 vssadmin.exe 70->83         started        85 bcdedit.exe 70->85         started        87 bcdedit.exe 70->87         started        89 2 other processes 70->89 process16 process17 91 conhost.exe 83->91         started        93 conhost.exe 85->93         started        95 conhost.exe 87->95         started        97 conhost.exe 89->97         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146/
Threat name:
Win32.Ransomware.Magni
Create hunting rule
Status:
Malicious
First seen:
2022-05-20 11:22:47 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
14 of 40 (35.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ojfthaosn3mkmm535creqp56ljg5dntlasrnqs53wylz6tnmqfda._file
Verdict:
malicious
Similar samples:
109465a5f8aa3c322d7d63922acb1cbd66579840c9053e2bc641f9c26b439bb3
Magniber
19867586298dba124d760385b87a113884fb785c3e704d288cbdec73e3000fca
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Magniber
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/220601-qkhx6scdgn/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Deletes System State backups
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/724b3381d26e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276090/

Comments