MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
SHA3-384 hash: 2f665ca75738667974d39a888999a9e8e2e93c2837fa567bbd33ad13bf2c9f6233b8b0e319ee9c6bc47ff61f5f951cd2
SHA1 hash: da638840f3452d74b9118d6c60a5a6cf70b87901
MD5 hash: 829e5e01899cac6e4326893afbf5be82
humanhash: sierra-wolfram-pasta-twenty
File name:ONHQNHFT.msi
Download: download sample
File size:6'766'592 bytes
First seen:2024-11-30 01:22:40 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 196608:0I1luWmYjbL+43RSnJaVBKQiEh4i4gO3MR26f:9pLbL+4tli+4hGJ
Threatray 7 similar samples on MalwareBazaar
TLSH T1D1663368F9B29178C7DF06326A333586851ACC5DC25AA1236396F78E24733379DBC05E
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter aachum
Tags:msi


Avatar
iamaachum
https://pub-37d3986658af451c9d52bb9f482b3e2d.r2.dev/ONHQNHFT.msi

C2:
https://gakaroli.online/edward-gringhuis?n5f8dheaoxp1mi4y=REF0AMG0DYE07A1KJEKnDvfx5AkaGHK6z3%2FRLg4j8F7BB8jUOIO64N4TGWCKjeux

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
ES ES
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Program.Unwanted.5405.26159.15028.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=674a6aade64d1c722d7a4900
Tags:
shellcode virus gates
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1565498
Signature
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Writes to foreign memory regions
Yara detected UAC Bypass using CMSTP
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1565498 Sample: ONHQNHFT.msi Startdate: 30/11/2024 Architecture: WINDOWS Score: 100 69 gakaroli.online 2->69 73 Suricata IDS alerts for network traffic 2->73 75 Malicious sample detected (through community Yara rule) 2->75 77 Multi AV Scanner detection for submitted file 2->77 79 3 other signatures 2->79 10 msiexec.exe 85 45 2->10         started        13 IDRBackup.exe 1 2->13         started        16 IDRBackup.exe 1 2->16         started        18 msiexec.exe 3 2->18         started        signatures3 process4 file5 61 C:\Users\user\AppData\Local\...\vclx120.bpl, PE32 10->61 dropped 63 C:\Users\user\AppData\Local\...\vcl120.bpl, PE32 10->63 dropped 65 C:\Users\user\AppData\Local\...\sqlite3.dll, PE32 10->65 dropped 67 6 other malicious files 10->67 dropped 20 IDRBackup.exe 12 10->20         started        111 Maps a DLL or memory area into another process 13->111 113 Found direct / indirect Syscall (likely to bypass EDR) 13->113 24 cmd.exe 2 13->24         started        26 cmd.exe 1 16->26         started        signatures6 process7 file8 47 C:\Users\user\AppData\Roaming\...\vclx120.bpl, PE32 20->47 dropped 49 C:\Users\user\AppData\Roaming\...\vcl120.bpl, PE32 20->49 dropped 51 C:\Users\user\AppData\Roaming\...\sqlite3.dll, PE32 20->51 dropped 55 6 other malicious files 20->55 dropped 81 Switches to a custom stack to bypass stack traces 20->81 83 Found direct / indirect Syscall (likely to bypass EDR) 20->83 28 IDRBackup.exe 1 20->28         started        53 C:\Users\user\AppData\Local\Temp\ikltbdky, PE32+ 24->53 dropped 85 Writes to foreign memory regions 24->85 87 Maps a DLL or memory area into another process 24->87 31 comvalidate_ljv3.exe 24->31         started        33 conhost.exe 24->33         started        35 conhost.exe 26->35         started        signatures9 process10 signatures11 105 Maps a DLL or memory area into another process 28->105 107 Switches to a custom stack to bypass stack traces 28->107 109 Found direct / indirect Syscall (likely to bypass EDR) 28->109 37 cmd.exe 5 28->37         started        process12 file13 57 C:\Users\user\AppData\Local\Temp\wqosufsc, PE32+ 37->57 dropped 59 C:\Users\user\...\comvalidate_ljv3.exe, PE32+ 37->59 dropped 89 Writes to foreign memory regions 37->89 91 Found hidden mapped module (file has been removed from disk) 37->91 93 Maps a DLL or memory area into another process 37->93 95 Switches to a custom stack to bypass stack traces 37->95 41 comvalidate_ljv3.exe 37->41         started        45 conhost.exe 37->45         started        signatures14 process15 dnsIp16 71 gakaroli.online 172.67.141.133, 443, 49766, 49772 CLOUDFLARENETUS United States 41->71 97 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->97 99 Tries to harvest and steal browser information (history, passwords, etc) 41->99 101 Tries to harvest and steal Bitcoin Wallet information 41->101 103 Found direct / indirect Syscall (likely to bypass EDR) 41->103 signatures17
Score:
85%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2024-11-20 16:12:10 UTC
File Type:
Binary (Archive)
Extracted files:
238
AV detection:
5 of 23 (21.74%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qsv4fcy5uhbn34aqol5sqf7liruthouy5tanwirifaow7t5n74ga._file
Verdict:
malicious
Label(s):
finfisherrat
Create hunting rule
Similar samples:
0a35146706c4712aea807ce394aab0270d5c115ceb3d0e79695f49f763648a55
7143a5a1be6622001a7fdc52367a92155125504715dd96b38df6e67a6d48bd0c
84e059bb286a4d546c18b3e2f61d0bc0fe7c635fd2c1ca998722324d48d1c584
8bf7d79425114140c858c24114586ac08a9688e4f23b32e95533c97c89b99643
a785bb5943ae900656aec2cfca17124ce7292eb6d14be835c0f6461d90aee689
error
Result
Malware family:
n/a
Score:
  7/10
Tags:
collection discovery persistence privilege_escalation spyware stealer
Link:
https://tria.ge/reports/241130-brszdszpdk/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
outlook_office_path
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
Reads user/profile data of web browsers
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Enumerates connected drives
Reads WinSCP keys stored on the system
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/df76db7d-084b-4061-b362-46c11538fc71
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Sus_Obf_Enc_Spoof_Hide_PE
Create hunting rule
Author:XiAnzheng
Description:Check for Overlay, Obfuscating, Encrypting, Spoofing, Hiding, or Entropy Technique(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 84abc28b1da1c2ddf01072fb2817eb446933ba98ecc0db2228281d6fcfadff0c

(this sample)

  
Link
https://tria.ge/241130-bj2lkavpgw/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/3303848/

Comments