MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544
SHA3-384 hash: 73493b910812ddeba44e2afb1bf91a3b6d06a0d50cbc2f0c114164ffd0d6f10b0be072ccba5ba7f43745cd956efbb7f1
SHA1 hash: 47df11bb9344b1f9c35bf48ea15f372893ce6c76
MD5 hash: 7a4aefa52bb4763417dded535705ad60
humanhash: nine-sad-beer-cup
File name:WinRAR_6.1.2_IIS.msi
Download: download sample
File size:2'339'328 bytes
First seen:2023-01-21 06:19:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:hi1PsJ6ma8zotlmfwrgxMy+y29IAan6DrJ4vLNgmUESIEjPMN2lv+oBUYwMV3eVb:SAfwrtye4veHjPMNaQYwMV39TA5
Threatray 88 similar samples on MalwareBazaar
TLSH T187B58C227986C232EA7F4330252ADB7B21F97EE0377344DB63C8592E0E715C15276E96
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:DEV-0569 msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355263/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint greyware shell32.dll
Link:
https://www.filescan.io/uploads/63cb83d72d4f6d560e223461/reports/fbb09f14-5d61-42a0-a3c3-01e6ced2a3df/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
21 / 100
Link:
https://www.joesandbox.com/analysis/1154832
Signature
Bypasses PowerShell execution policy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 787561 Sample: WinRAR_6.1.2_IIS.msi Startdate: 19/01/2023 Architecture: WINDOWS Score: 21 7 msiexec.exe 3 14 2->7         started        10 msiexec.exe 12 2->10         started        file3 26 C:\Windows\Installer\MSIEF19.tmp, PE32 7->26 dropped 28 C:\Windows\Installer\MSIEDB0.tmp, PE32 7->28 dropped 30 C:\Windows\Installer\MSIECB5.tmp, PE32 7->30 dropped 32 C:\Windows\Installer\MSI4208.tmp, PE32 7->32 dropped 12 msiexec.exe 16 7->12         started        15 msiexec.exe 7->15         started        34 C:\Users\user\AppData\Local\...\MSIC388.tmp, PE32 10->34 dropped 36 C:\Users\user\AppData\Local\...\MSIC28D.tmp, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\MSIC154.tmp, PE32 10->38 dropped 40 4 other files (none is malicious) 10->40 dropped process4 file5 42 C:\Users\user\AppData\Local\...\scrEF66.ps1, Unicode 12->42 dropped 44 C:\Users\user\AppData\Local\...\pssEF96.ps1, Unicode 12->44 dropped 18 powershell.exe 16 12->18         started        20 powershell.exe 3 12->20         started        46 Bypasses PowerShell execution policy 15->46 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 22:20:22 UTC
File Type:
Binary (Archive)
Extracted files:
86
AV detection:
5 of 39 (12.82%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qjqlvhavg5kcsmsdew2kuwm7giejhws5dt232w2zislzzmgzcvca._file
Verdict:
unknown
Similar samples:
00b74733bcfeb9fbe6351f62fad0c9c2653ea90989461912d120f89472a262f1
27ec567e09d46bc9cf86e4ba699c893832403a698e414ced8b9af680c67cec2f
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
a519aea7bbd70ca7c031db95b52bab0d6c416ae5038c12b3e66d85b84cf7652a
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e
ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230121-g26wwsaf66/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355263/

Comments