MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54
SHA3-384 hash: ff5f22e9657e6c932b5d9168ec314847d9c15f3a4490045d450598a2cf8609d3e4098609ac04c2f421b4270c9d96ee75
SHA1 hash: bad5da3f95d9e13af6baf9f03932443fcf12ca1f
MD5 hash: daec3088ec4a6a4d1c60859fbd1bb779
humanhash: one-nevada-ink-queen
File name:sample.msi
Download: download sample
File size:5'002'351 bytes
First seen:2023-01-26 13:10:45 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:oYUMV39xAlAfwrty24veHjPMNaWPlhkc/4ByWYcQ8l8zAPHEQ0BC77EMLN/:zP/eH9SPHel8zAMQ0BCEMLN/
Threatray 305 similar samples on MalwareBazaar
TLSH T18936E02279C6C633EA6F4334256ADB7B51F97AE0377380DB53D4852E0E719C08276E92
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter hamasho_sec
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
JP JP
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/357102/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/63d27be689bd67c10fda6dab/reports/91003014-9d93-4c33-bc39-0cfaabd68c3d/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1159535
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Encrypted powershell cmdline option found
Multi AV Scanner detection for dropped file
Powershell drops PE file
Very long command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 792272 Sample: sample.msi Startdate: 26/01/2023 Architecture: WINDOWS Score: 72 91 Antivirus detection for URL or domain 2->91 93 Multi AV Scanner detection for dropped file 2->93 11 msiexec.exe 3 15 2->11         started        14 msiexec.exe 12 2->14         started        16 svchost.exe 2->16         started        18 6 other processes 2->18 process3 file4 59 C:\Windows\Installer\MSID381.tmp, PE32 11->59 dropped 61 C:\Windows\Installer\MSIB260.tmp, PE32 11->61 dropped 63 C:\Windows\Installer\MSI358E.tmp, PE32 11->63 dropped 71 2 other malicious files 11->71 dropped 20 msiexec.exe 24 11->20         started        23 msiexec.exe 11->23         started        65 C:\Users\user\AppData\Local\Temp\MSIC5E.tmp, PE32 14->65 dropped 67 C:\Users\user\AppData\Local\Temp\MSIBFF.tmp, PE32 14->67 dropped 69 C:\Users\user\AppData\Local\Temp\MSIB62.tmp, PE32 14->69 dropped 73 4 other files (none is malicious) 14->73 dropped process5 file6 55 C:\Users\user\AppData\Local\...\scr35CA.ps1, Unicode 20->55 dropped 57 C:\Users\user\AppData\Local\...\pss35FB.ps1, Unicode 20->57 dropped 26 powershell.exe 15 15 20->26         started        30 powershell.exe 17 20->30         started        32 powershell.exe 18 20->32         started        95 Bypasses PowerShell execution policy 23->95 signatures7 process8 dnsIp9 89 81.177.6.46 RTCOMM-ASRU Russian Federation 26->89 97 Very long command line found 26->97 99 Encrypted powershell cmdline option found 26->99 34 powershell.exe 31 26->34         started        38 conhost.exe 26->38         started        101 Powershell drops PE file 30->101 40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        signatures10 process11 dnsIp12 83 81.177.136.237 RTCOMM-ASRU Russian Federation 34->83 85 46.4.134.23 HETZNER-ASDE Germany 34->85 87 2 other IPs or domains 34->87 51 C:\Users\user\AppData\...\gpg4win-2.2.5.exe, PE32 34->51 dropped 53 C:\Users\user\AppData\Roaming53Sudo.exe, PE32+ 34->53 dropped 44 gpg4win-2.2.5.exe 34->44         started        file13 process14 file15 75 C:\Users\user\AppData\Local\...\g4wihelp.dll, PE32 44->75 dropped 77 C:\Users\user\AppData\Local\...\System.dll, PE32 44->77 dropped 79 C:\Program Files (x86)behaviorgraphNUbehaviorgraphnuPG\zlib1.dll, PE32 44->79 dropped 81 159 other files (none is malicious) 44->81 dropped 47 regsvr32.exe 44->47         started        process16 process17 49 regsvr32.exe 47->49         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-26 00:01:03 UTC
File Type:
Binary (Archive)
Extracted files:
112
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q6u2kkiboon67sa3dr7jzhpoyqrcvabd56hu5yagqqj7p2ihnjka._file
Verdict:
unknown
Similar samples:
1183f6e4d1f3b87746eb9864878083adf61e7661ec991eb9c563eaed8cea24ab
1b1aa08061f3e879248ffbacec5020b930c90ab08ce1b29544141423efe52e1f
5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756
5e0d8d9ae9094177d5d0c0626ab013a7e17155cf37171b63f70622758dc9a614
72a5b592e34ec6de2c053988a7ce3218ee2249aae192f3c2056ab51c17c86d5d
a47b9620bc4af6acd508e2c257b5b817ed2335685d593cb0becdab15ffda5147
a519aea7bbd70ca7c031db95b52bab0d6c416ae5038c12b3e66d85b84cf7652a
d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58
dc2666c86b512a0b4455943b1275a628e2d4f64a45f20ff8ad3fc58f4ceda057
e2d20d55d2028393833af36dec30320b5b5419d1b3c223d62937f65470324a72
+ 295 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230126-qeyfnsfb41/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi 87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/357102/

Comments