MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


MetaStealer


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b
SHA3-384 hash: a42feeb5a54c1a6836534a35e678238de26e8155f206e050bfb09915bc3c1049445d1425ca0fb643c2512c137ed34120
SHA1 hash: 6f9f722f4588d7151b0958a5fd80d7b249d68da2
MD5 hash: d3337f95ed0bd54713c4ec180a75559d
humanhash: hamper-kansas-purple-spaghetti
File name:install.msi
Download: download sample
Signature MetaStealer
Create hunting rule
File size:2'109'440 bytes
First seen:2022-12-02 15:03:12 UTC
Last seen:2022-12-02 16:32:42 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:KtWcpVLSiybl1F5k5ZmaLpsac0vrwA34Iw/ntmCPXJZBJxaTzrTwHHk:ApdSik1F5oZmaLpjc0DwMgtrRJxQwHE
Threatray 89 similar samples on MalwareBazaar
TLSH T115A5CED13749C126CA5719358F67D79E172AFC91AE30B08737A0BB5E4B38AD3AD29301
TrID 98.2% (.MSI) Microsoft Windows Installer (454500/1/170)
1.7% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter r3dbU7z
Tags:metastealer msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/341926/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.5737.10846.12973.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
expand.exe fingerprint packed shell32.dll
Link:
https://www.filescan.io/uploads/638a13e4f6e448d42df6e9a1/reports/18bfb81c-e471-4c69-9f2b-a15ada24a8a4/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1126584
Signature
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides threads from debuggers
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has nameless sections
Performs DNS queries to domains with low reputation
Snort IDS alert for network traffic
Uses known network protocols on non-standard ports
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 759308 Sample: install.msi Startdate: 02/12/2022 Architecture: WINDOWS Score: 100 48 Snort IDS alert for network traffic 2->48 50 Antivirus detection for dropped file 2->50 52 Multi AV Scanner detection for dropped file 2->52 54 3 other signatures 2->54 8 msiexec.exe 3 10 2->8         started        11 msiexec.exe 5 2->11         started        process3 file4 34 C:\Windows\Installer\MSI5665.tmp, PE32 8->34 dropped 13 msiexec.exe 5 8->13         started        process5 process6 15 install.exe 1 13->15         started        20 expand.exe 8 13->20         started        22 icacls.exe 1 13->22         started        dnsIp7 36 uosqysascuwmqgyk.xyz 185.200.190.185, 1775, 49689, 49690 QRATORRU Russian Federation 15->36 38 192.168.2.1 unknown unknown 15->38 28 C:\Users\user\AppData\Local\...\hyper-v.xyz, PE32 15->28 dropped 40 Detected unpacking (changes PE section rights) 15->40 42 Performs DNS queries to domains with low reputation 15->42 44 Hides threads from debuggers 15->44 46 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 15->46 30 C:\Users\user\AppData\...\install.exe (copy), PE32 20->30 dropped 32 C:\...\c811bef4518b964e9170b98a30ba427f.tmp, PE32 20->32 dropped 24 conhost.exe 20->24         started        26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-12-02 15:05:26 UTC
File Type:
Binary (Archive)
Extracted files:
30
AV detection:
12 of 26 (46.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o3dthagmjxvtbs735ct72vi5uwv2cfifax5vwc3glgpexjerqsfq._file
Verdict:
malicious
Similar samples:
0c22e8ea0ba6fc4f77bd273a12dd319e991899499b4bea8422d146d447034505
MetaStealer
1b80ff02d64c454a3965d1c7ba536c5eca9e3c289301da557496f938c2a24a95
MetaStealer
1cc62bcf5d8ec1beb8d7414e95aac964b31d0fcdca01f5dabfbd979ba7f44ad9
MetaStealer
21189adcab0a08c3e27f1395b3e4a0af73e3430ad1c82219d3b9475aa46b8a66
MetaStealer
34915a0eded4e59cfd552ae7724e99584ec58f24b8a562fd90aa6dcb9397a019
MetaStealer
36e1e5608c15c5a1425e116d3e0c669622381f0cc70d9934218da802b707a27f
MetaStealer
5d4a8635a8bd54c96eb76c61ba879998437d96bc72557ef2be44183797e49149
MetaStealer
b140d23cad4bacb53d3dab6b15828129b51cbc77bb9ba0297bed5d5323b9781e
MetaStealer
+ 79 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/221202-sfmfxada3w/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Drops file in Windows directory
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.95
Link:
https://yomi.yoroi.company/submissions/76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

MetaStealer

Microsoft Software Installer (MSI) msi 76c73380cc4deb30cbfbe8a7fd551da5aba1150505fb5b0b66599e4ba491848b

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/341926/
  
URLhaus
https://urlhaus.abuse.ch/url/2442046/

Comments