MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85ebf97dcbb2e76cbd13e32d74e1d2e6579c2e8b58b890c5ace477258ff88a36. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85ebf97dcbb2e76cbd13e32d74e1d2e6579c2e8b58b890c5ace477258ff88a36
SHA3-384 hash: 2b84a10a6b6c2afc47ab5a231142540305c41be14c10ff29c9345b2845c325fdf317aa446ed6ee47cade4f7cf14d7383
SHA1 hash: f0801133006af62c451e3ad54af2cac3d6cebf07
MD5 hash: 982f5c63fdc533fc056eeb9148951cb2
humanhash: blue-september-tennessee-speaker
File name:Security.Upgrade.Win10.0-KB57868293.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:10'469'376 bytes
First seen:2022-06-03 09:21:09 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:BRGxQ+AamR7fr3zd9h1p2O8XoTYNwKqzbADs0Do7i:W8lr3Z9d89NA3p
Threatray 26 similar samples on MalwareBazaar
TLSH T11CB6D52195F3A6D7CA274E3BDE164BB24459ACA454309C26733B3BD0CA7CBB257A3107
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:Magniber msi Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
414
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276472/
Detection(s):
Win.Ransomware.Lazy-9916758-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed packed ransomware
Link:
https://www.filescan.io/uploads/6299d298961acffe54447ba5/reports/de6f38f4-a3fe-4db2-9411-b3719cbb00f3/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/85ebf97dcbb2e76cbd13e32d74e1d2e6579c2e8b58b890c5ace477258ff88a36
Result
Threat name:
Magniber
Create hunting rule
Detection:
malicious
Classification:
rans.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1006195
Signature
Creates a thread in another existing process (thread injection)
Found ransom note / readme
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
Modifies existing user documents (likely ransomware behavior)
Writes to foreign memory regions
Yara detected Magniber Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 638691 Sample: Security.Upgrade.Win10.0-KB... Startdate: 03/06/2022 Architecture: WINDOWS Score: 76 84 Found ransom note / readme 2->84 86 Yara detected Magniber Ransomware 2->86 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 78 C:\Windows\Installer\MSIA76F.tmp, PE32+ 10->78 dropped 15 msiexec.exe 10->15         started        process5 signatures6 90 Hijacks the control flow in another process 15->90 92 Injects code into the Windows Explorer (explorer.exe) 15->92 94 Writes to foreign memory regions 15->94 96 Creates a thread in another existing process (thread injection) 15->96 18 sihost.exe 3 15->18 injected 22 svchost.exe 2 15->22 injected 24 svchost.exe 15->24 injected 27 3 other processes 15->27 process7 dnsIp8 70 C:\Users\user\Downloads\README.html, HTML 18->70 dropped 72 C:\Users\user\Desktop\...\PIVFAGEAAV.docx, data 18->72 dropped 74 C:\Users\user\Desktop\...\PALRGUCVEH.xlsx, data 18->74 dropped 76 C:\Users\user\Desktop76VWZAPQSQL.xlsx, data 18->76 dropped 88 Modifies existing user documents (likely ransomware behavior) 18->88 29 cmd.exe 2 22->29         started        31 cmd.exe 22->31         started        33 regsvr32.exe 2 22->33         started        82 23.201.249.71, 443, 49691 AKAMAI-ASUS United States 24->82 35 cmd.exe 24->35         started        38 cmd.exe 24->38         started        40 regsvr32.exe 24->40         started        42 cmd.exe 27->42         started        44 regsvr32.exe 27->44         started        46 cmd.exe 27->46         started        file9 signatures10 process11 dnsIp12 48 fodhelper.exe 12 29->48         started        50 conhost.exe 29->50         started        56 2 other processes 29->56 52 fodhelper.exe 12 31->52         started        54 conhost.exe 31->54         started        58 2 other processes 31->58 80 192.168.2.1 unknown unknown 35->80 60 4 other processes 35->60 62 3 other processes 38->62 64 2 other processes 42->64 process13 process14 66 regsvr32.exe 48->66         started        68 regsvr32.exe 52->68         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85ebf97dcbb2e76cbd13e32d74e1d2e6579c2e8b58b890c5ace477258ff88a36/
Threat name:
Win64.Ransomware.Magni
Create hunting rule
Status:
Malicious
First seen:
2022-06-03 09:22:23 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
7 of 41 (17.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxv7s7olwltwzpit4mwxjyos4zlzylullc4jbrnm4r3sld7yri3a._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
19867586298dba124d760385b87a113884fb785c3e704d288cbdec73e3000fca
Magniber
2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72
Magniber
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
81f5199c636f775f14895631f527553eb2b821773a273acf5c097c936ee656f3
Magniber
e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
Magniber
e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32
Magniber
ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d
Magniber
fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Magniber
fb38ca9105614973ddaabc6ce76068be002a4b69a9f801e2cc5b962f84ffab7b
Magniber
+ 16 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220603-lbwqfsdhg4/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/85ebf97dcbb2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Magniber
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85ebf97dcbb2e76cbd13e32d74e1d2e6579c2e8b58b890c5ace477258ff88a36

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276472/

Comments