MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418
SHA3-384 hash:	689fc8e978155eba7d0790936a30550e6fdd0a4758e09d35ee92ee576eec5cd13aaa81c87dd1e69154266ca6e84dcaae
SHA1 hash:	a0f8fa3965a0f88f295ac039ae502496e6f28979
MD5 hash:	b1b64c2986d531cbbe019a9adfb6106a
humanhash:	yankee-gee-wolfram-mountain
File name:	aplicativo.msi
Download:	download sample
File size:	7'123'968 bytes
First seen:	2022-12-10 08:52:20 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:nXEZ5dApBHkxt9o2aMGhxzz2ANuqnhz4I3N0:nX/M41MkhzNi
Threatray	203 similar samples on MalwareBazaar
TLSH	T1D7763322B2C6C937C16D42B0292E47AE45617D29C7F388EB63C46D3D1E739C15379E8A
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	abuse_ch
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/344918/

Detection(s):

SecuriteInfo.com.Win32.SpywareX-gen.28165.28110.UNOFFICIAL

SecuriteInfo.com.Win32.SpywareX-gen.12482.29821.UNOFFICIAL

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

shell32.dll

Link:

https://www.filescan.io/uploads/639448f00c6473d1671a4ab5/reports/08b7da61-896a-4bb9-aa64-c7a41e7ac1b5/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1131912

Signature

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418/

Threat name:

Win32.Infostealer.Ghoul

Status:

Malicious

First seen:

2022-12-09 16:05:22 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

11 of 40 (27.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=thpitbkwtu3euxrhhyqoqssd2rckaawlhcet2wg5tlgaixzioqma._file

Verdict:

suspicious

220a3f00cbb5d2a2b78e8f1731bacc235163f2aa4999de6f0db3221bcb282801

2451b15b1e0395d30f192de63344be36beb0cd9cd421ed2bc76c1ccb56778dfa

36bba4ce934c4041d3d27e588793ff536194b7b536d0181676d79cb8bad77ce0

968540c083474982744f85646c34a3abf7299479e1156904691820d0d1c288ed

9e2e6fe4472e5e0e7d4a9faf6eb9798fb72cf632a385a7c77528fb49a3931f5f

ad2ed1651407fc34cd9c394d115ad2af8ee53c49e60aaac51a6e4ef6e4692b81

b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a

df04011130920e691165f3e93b3cf8aa02fbbc84af1fedc13eaebed30a797d89

df2f7dee20fb4b16fd8dbd026583c9669c60d772c0cb9b22bc0ef51bba45e69d

+ 193 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/221210-kta12afc34/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Drops file in Program Files directory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/99de8985569d364a5e273e20e84a43d444a002cb38893d58dd9acc045f287418

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/344918/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample