MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Ousaban


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44
SHA3-384 hash: 524764dcce8d831462fe21f0bbaef3492985f85cbcf8111f69c1e89ac37d836db2b518b9ccff363422ae7555b60f5f2f
SHA1 hash: 0614681917d21a1d06492583561643599d12d5ac
MD5 hash: d1c43bb1c9758eee8d2643731af9be7f
humanhash: happy-lion-pennsylvania-california
File name:encomendas010-5u44cr2luF.msi
Download: download sample
Signature Ousaban
Create hunting rule
File size:591'872 bytes
First seen:2021-12-18 12:51:41 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:AnlHY5ATjJDJdQflxuOhr6IF3CP5pu1jLkHMt5Oz:AnpY5ATjJDJdMxuqjFt8
Threatray 3 similar samples on MalwareBazaar
TLSH T181C49E20B3CAC93BD2BB01702917D39B59687D2147B1D0DB62D86A8E1DF6DC1817BEB1
Reporter Anonymous
Tags:msi ousaban

Intelligence

File Origin
# of uploads :
1
# of downloads :
214
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/61bdd9764ab5c44cbf47d5e0/reports/78b79ea1-5562-466c-b93c-30009226b2ff/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/909524
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44/
Threat name:
Script-JS.Downloader.BanLoad
Create hunting rule
Status:
Malicious
First seen:
2021-12-18 12:29:17 UTC
File Type:
Binary (Archive)
Extracted files:
74
AV detection:
11 of 27 (40.74%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o4lyurciidnsjtittc5gtfazmj5odk3bxxwnu5dkxu65ifn4zvca._file
Verdict:
unknown
Similar samples:
adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9
Ousaban
bfd12725c557e1a9992dccff4257290adec43be6315f68471af0d26c9fa662ad
Ousaban
f923c5ce0a44f73f86dbb04d02905e0e0068d675f6095680b41d904380800e17
Ousaban
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence themida trojan
Link:
https://tria.ge/reports/211218-p3284afaf4/
Behaviour
Modifies system certificate store
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Checks BIOS information in registry
Drops startup file
Loads dropped DLL
Themida packer
Blocklisted process makes network request
Executes dropped EXE
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.28
Link:
https://yomi.yoroi.company/submissions/77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_obfuscated_JS_obfuscatorio
Create hunting rule
Author:@imp0rtp3
Description:Detect JS obfuscation done by the js obfuscator (often malicious)
Reference:https://obfuscator.io

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Ousaban

Microsoft Software Installer (MSI) msi 77178a444840db24cd1398ba699419627ae1ab61bdecda746abd3dd415bccd44

(this sample)

Executable exe 4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82

  
Dropping
SHA256 4563e5ab64572adb62bc0e4e6c472b4c6485c9e5af3aa40dc17d84170c442e82
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/214984/

Comments