MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
SHA3-384 hash: ba8af33c13a15e516bdd10946abdbf73114a361ce76100c9c6704d764c7c98040454bdd3eb65c7da081e87f48dd3824e
SHA1 hash: 5b735653dcf025c668e4bbbd5d439eebfef8fcda
MD5 hash: 4dc2623c126508c02a4e19da2a7982b3
humanhash: pip-early-lactose-oranges
File name:file.msi
Download: download sample
File size:1'376'768 bytes
First seen:2023-04-14 05:54:40 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:HK+xLNJYB4cW7LIJ1MXCOJ05YbswFbf2d7xLZrudqAcr:HK6JYZqbCOJ05Yb59+zLZrudqAc
Threatray 257 similar samples on MalwareBazaar
TLSH T1E055AE223386C233C96E02B01A2ADB5B5579FDB24B3554DBA3C82D2F9DB44C25739F52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/382139/
Detection(s):
SecuriteInfo.com.Other.Malware-gen.17076.28622.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
83%
Tags:
dde msiexec.exe shell32.dll
Link:
https://www.filescan.io/uploads/6438eab80c9f1744b585f72d/reports/a8cb73e9-9657-4a7d-adfd-82df8f0f5524/overview
Verdict:
Malicious
Labled as:
TR/Dldr.Agent
Link:
https://www.hybrid-analysis.com/sample/77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1213650
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contain functionality to detect virtual machines
Drops executables to the windows directory (C:\Windows) and starts them
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses shutdown.exe to shutdown or reboot the system
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 846575 Sample: file.msi Startdate: 14/04/2023 Architecture: WINDOWS Score: 100 49 propartys.app-urgencysac.website 2->49 51 choopegyrls.rolamentosgynonline.com 2->51 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 Antivirus detection for dropped file 2->59 61 6 other signatures 2->61 8 cmd.exe 1 2->8         started        11 msiexec.exe 14 35 2->11         started        14 WerFaultSecure5507  .exe 6 2->14         started        16 2 other processes 2->16 signatures3 process4 file5 67 Suspicious powershell command line found 8->67 69 Bypasses PowerShell execution policy 8->69 18 powershell.exe 27 35 8->18         started        23 conhost.exe 8->23         started        25 cmd.exe 1 8->25         started        41 C:\Windows\Installer\MSIFBF4.tmp, PE32 11->41 dropped 43 C:\Windows\Installer\MSIF8D3.tmp, PE32 11->43 dropped 45 C:\Windows\Installer\MSIF807.tmp, PE32 11->45 dropped 47 3 other files (2 malicious) 11->47 dropped 71 Drops executables to the windows directory (C:\Windows) and starts them 11->71 27 msiexec.exe 11->27         started        29 MSIFBF4.tmp 11->29         started        73 Query firmware table information (likely to detect VMs) 14->73 75 Hides threads from debuggers 14->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->77 signatures6 process7 dnsIp8 53 choopegyrls.rolamentosgynonline.com 173.82.57.120, 443, 49699, 49700 MULTA-ASN1US United States 18->53 33 C:\Users\...\WerFaultSecure5507...exe (copy), PE32 18->33 dropped 35 C:\Users\user\...\Thunderbo.dll (copy), PE32 18->35 dropped 37 C:\Users\user\AppData\Local\AMD64_\...\03, PE32 18->37 dropped 39 C:\Users\user\AppData\Local\AMD64_\...\01, PE32 18->39 dropped 63 Uses shutdown.exe to shutdown or reboot the system 18->63 65 Powershell drops PE file 18->65 31 shutdown.exe 1 18->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=o6yh3m3eyxb4jdjqpb4fxh7ju3z6nn74wd5heevzxcy6zqfcfgyq._file
Verdict:
unknown
Similar samples:
04d87473c872231d983c1ba26e9c2d4e346d3853990a5746210dc74bfaccd833
24cd4865f03fcaa7b5e76245734a43309cae82e24843cd667ceb3c3d46aa3095
6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e
7166dcc58ddaaa984ca15df83285a659443502c608c2290f3b4578b407e87d22
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
8a5a24a29f6dd98600724e6e19abf0ee2be65260233fabdcf35a01c61b981f11
9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
c63c78a081a78186d21c5df2a302b9f49fe35f85339692a1d8972a10dbabe042
da7f9295ea96e5490723111c7aeb2263f724a550e4780b91af918b63d8c9ffbf
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
+ 247 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230414-gmfq6ahh7s/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Microsoft Software Installer (MSI) msi 77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/382139/

Comments