MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4
SHA3-384 hash: 555b313c496730f9e296ee2d0c746032e204bc3ed82d0ec82279b09f984646c5c04f984fbd4e5b931ac1d6086015097d
SHA1 hash: dd3222fd67b5c26174e757687e96a29f3b3274ea
MD5 hash: 1c996c0281b8aa238b2ba19e3cb273ad
humanhash: chicken-kentucky-virginia-sad
File name:ExtremeBot_3.62._IIS.msi
Download: download sample
File size:7'713'280 bytes
First seen:2023-01-21 06:19:24 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:7AfwrtyR4veHjPMNajYBMV391AAf2LFiCMrYwiIxip6/4QM8CV3lUe/aOHqAVI3I:sweH9NZC4YsD/UV+e/azl3jR/ItQO
Threatray 88 similar samples on MalwareBazaar
TLSH T15076012279C5C233EA6F4330162ADB7B51F97EE0377340DB63D8962E0E759C04276A96
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:DEV-0569 msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
CL CL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/355265/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
80%
Tags:
anti-vm evasive fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/63cb841589bd67c10fd90113/reports/3fe2d19f-f57e-437e-afde-167dd7faee2a/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4
Result
Threat name:
Unknown
Detection:
suspicious
Classification:
evad
Score:
29 / 100
Link:
https://www.joesandbox.com/analysis/1156086
Signature
Bypasses PowerShell execution policy
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 788818 Sample: ExtremeBot_3.62._IIS.msi Startdate: 21/01/2023 Architecture: WINDOWS Score: 29 7 msiexec.exe 3 14 2->7         started        10 msiexec.exe 12 2->10         started        file3 26 C:\Windows\Installer\MSI91FD.tmp, PE32 7->26 dropped 28 C:\Windows\Installer\MSI5C99.tmp, PE32 7->28 dropped 30 C:\Windows\Installer\MSI58DE.tmp, PE32 7->30 dropped 32 C:\Windows\Installer\MSI57E3.tmp, PE32 7->32 dropped 12 msiexec.exe 16 7->12         started        15 msiexec.exe 7->15         started        34 C:\Users\user\AppData\Local\...\MSI2C54.tmp, PE32 10->34 dropped 36 C:\Users\user\AppData\Local\...\MSI2AFC.tmp, PE32 10->36 dropped 38 C:\Users\user\AppData\Local\...\MSI2A30.tmp, PE32 10->38 dropped 40 4 other files (none is malicious) 10->40 dropped process4 file5 42 C:\Users\user\AppData\Local\...\scr5E9A.ps1, Unicode 12->42 dropped 44 C:\Users\user\AppData\Local\...\pss5E9C.ps1, Unicode 12->44 dropped 18 powershell.exe 18 12->18         started        20 powershell.exe 3 12->20         started        46 Bypasses PowerShell execution policy 15->46 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4/
Threat name:
Binary.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-01-17 22:20:22 UTC
File Type:
Binary (Archive)
Extracted files:
101
AV detection:
3 of 39 (7.69%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=stqy5qktkrgvmkntqjcg7ndit4toweta6gz5bxm4xlysqew4npsa._file
Verdict:
unknown
Similar samples:
00b74733bcfeb9fbe6351f62fad0c9c2653ea90989461912d120f89472a262f1
27ec567e09d46bc9cf86e4ba699c893832403a698e414ced8b9af680c67cec2f
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
8260ba9c15375429324325b4aa599f320893da5d1cf5bd5b5944979cb0d91544
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
a519aea7bbd70ca7c031db95b52bab0d6c416ae5038c12b3e66d85b84cf7652a
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e
ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72
+ 78 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230121-g3r45ace51/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/94e18ec153544d5629b382446fb4689f26eb1260f1b3d0dd9cbaf12812dc6be4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/355265/

Comments