MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8871032689da878e4d0460f41ad7321625ea872357abeef12de553762f0cca5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8871032689da878e4d0460f41ad7321625ea872357abeef12de553762f0cca5b
SHA3-384 hash: a6504d4c7604ff9453a579a83f101854c840b00ab772bb225c866cabbce7ab0b835765b56df969b93239209154906fe7
SHA1 hash: e1b5ccd292fe0a203256ced2b57d84413f5d8ac5
MD5 hash: b4d145345b692fb5baba2c430baccbfe
humanhash: massachusetts-don-mexico-hotel
File name:ltroubvle_sib.msi
Download: download sample
File size:3'420'160 bytes
First seen:2023-01-03 22:10:02 UTC
Last seen:2023-01-03 23:28:10 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:EsvZFyZ1DrNZJsnSWHlvay7V1AISF39hcYeQzhKlFa:ESsZ1Dh3sSOlC+STFNhdz8
Threatray 674 similar samples on MalwareBazaar
TLSH T1DCF523203980C932C66A1432542BDA7617BDBEA05F31D9CF53853BBD4E70AD0467AE7B
TrID 86.8% (.MSI) Microsoft Windows Installer (454500/1/170)
11.6% (.MST) Windows SDK Setup Transform script (61000/1/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
US US
Vendor Threat Intelligence
Detection:
SoranoStealer
Create hunting rule
Link:
https://www.capesandbox.com/analysis/349256/
Detection(s):
PUA.Win.Packed.ConfuserEx-6582917-0
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
barys confuserex msiexec.exe packed
Link:
https://www.filescan.io/uploads/63b4a7bc40e878e304227a37/reports/31dea1fa-814b-4eeb-a644-87b00018b74f/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/8871032689da878e4d0460f41ad7321625ea872357abeef12de553762f0cca5b
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Hog Grabber
Create hunting rule
Detection:
malicious
Classification:
troj.evad.adwa
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1144815
Signature
Antivirus detection for dropped file
Disable Windows Defender real time protection (registry)
Disables Windows Defender (deletes autostart)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Opens the same file many times (likely Sandbox evasion)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses cmd line tools excessively to alter registry or file data
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected BrowsingHistoryView browser history reader tool
Yara detected Costura Assembly Loader
Yara detected Hog Grabber
Yara detected WebBrowserPassView password recovery tool
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 777545 Sample: ltroubvle_sib.msi Startdate: 03/01/2023 Architecture: WINDOWS Score: 100 77 Multi AV Scanner detection for domain / URL 2->77 79 Malicious sample detected (through community Yara rule) 2->79 81 Antivirus detection for dropped file 2->81 83 8 other signatures 2->83 11 msiexec.exe 77 30 2->11         started        14 Microsoft Update Manager8754686.exe 2->14         started        17 msiexec.exe 5 2->17         started        process3 file4 67 C:\Windows\Installer\MSI4C16.tmp, PE32 11->67 dropped 69 C:\Users\user\AppData\Local\...\ltroubvle.exe, PE32 11->69 dropped 19 msiexec.exe 11->19         started        111 Opens the same file many times (likely Sandbox evasion) 14->111 signatures5 process6 process7 21 ltroubvle.exe 6 19->21         started        file8 55 C:\...\Microsoft Update Manager8754686.exe, PE32 21->55 dropped 57 C:\Users\user\AppData\...\RtkBtManServ.exe, PE32 21->57 dropped 91 Antivirus detection for dropped file 21->91 93 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->93 95 Machine Learning detection for dropped file 21->95 97 Drops PE files to the startup folder 21->97 25 RtkBtManServ.exe 23 40 21->25         started        30 cmd.exe 1 21->30         started        32 cmd.exe 1 21->32         started        signatures9 process10 dnsIp11 71 api64.ipify.org 104.237.62.212, 443, 49696 WEBNXUS United States 25->71 73 162.159.128.233, 443, 49698 CLOUDFLARENETUS United States 25->73 75 2 other IPs or domains 25->75 59 C:\Users\user\AppData\Local\...\xwizard.exe, PE32 25->59 dropped 61 C:\Users\user\AppData\Local\...\winhlp32.exe, PE32 25->61 dropped 63 C:\Users\user\AppData\Local\...\snuvcdsm.exe, PE32 25->63 dropped 65 4 other files (1 malicious) 25->65 dropped 99 Antivirus detection for dropped file 25->99 101 Multi AV Scanner detection for dropped file 25->101 103 May check the online IP address of the machine 25->103 109 3 other signatures 25->109 34 wscript.exe 25->34         started        105 Uses cmd line tools excessively to alter registry or file data 30->105 107 Uses schtasks.exe or at.exe to add and modify task schedules 30->107 36 reg.exe 1 30->36         started        39 reg.exe 1 1 30->39         started        41 reg.exe 1 1 30->41         started        47 28 other processes 30->47 43 conhost.exe 32->43         started        45 choice.exe 1 32->45         started        file12 signatures13 process14 signatures15 49 cmd.exe 34->49         started        85 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->85 87 Disables Windows Defender (deletes autostart) 39->87 89 Disable Windows Defender real time protection (registry) 41->89 process16 process17 51 conhost.exe 49->51         started        53 bfsvc.exe 49->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8871032689da878e4d0460f41ad7321625ea872357abeef12de553762f0cca5b/
Threat name:
ByteCode-MSIL.Infostealer.Disco
Create hunting rule
Status:
Malicious
First seen:
2023-01-03 22:11:09 UTC
File Type:
Binary (Archive)
Extracted files:
36
AV detection:
24 of 39 (61.54%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rbyqgjuj3kdy4tiemd2bvvzscys6vbzdk6v654jn4vjxmlymzjnq._file
Verdict:
malicious
Similar samples:
63749db0a9eb1a3c20cbeed08aae309ea5be7a0318d954cd3e74f6ffef2125f8
9d3c0c4f284599d8368fabea500ca8940539881e4afc88a026f05bd8c7f6f0e0
b3a510a337ee536bb27763260d6bc73003e2c5e85b618eccc23ba55645bc8a5d
b92a5c3efbd6adc183f46c43e8c1fd7741fec8fff7e5e04c66880700c83ff49d
bc5bdcf308bf462c64ec6c329d91437f985c32e80b2cf691e29e37105fd98701
be5f90d712006e2ea8859502318e741123e5d3ee13691d67975254eecd55e0fe
c20e27c69a0ae79358901b683834d3c18137121dd200d51c6a2d6c49224bbce7
+ 664 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion spyware stealer trojan
Link:
https://tria.ge/reports/230103-13ctzsda69/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Modifies system certificate store
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Blocklisted process makes network request
Executes dropped EXE
NirSoft WebBrowserPassView
Nirsoft
Modifies Windows Defender Real-time Protection settings
Modifies security service
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/8871032689da/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.37
Link:
https://yomi.yoroi.company/submissions/8871032689da878e4d0460f41ad7321625ea872357abeef12de553762f0cca5b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/349256/

Comments