MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3
SHA3-384 hash: 00c3aad50611117b0a9d1985faaea5c7a7567a7947e7ab65c388719dd200adb73e28b71383a7833d00f33b12256be0d8
SHA1 hash: 7f537f5045e5e4b77ccb8dcfbd04555b85b11821
MD5 hash: b2d5a1369b5b88c18e5123b948683ba8
humanhash: south-high-virginia-speaker
File name:9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3
Download: download sample
File size:1'933'312 bytes
First seen:2023-08-21 23:03:49 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:otncpVGPAs9FsEsyt8l+E+s1tB7parWM0Sy6MQYBXjhi0iCq+otd9s:hpUPd9FBJZEH1X1arF0sMQYBTsJdd9
Threatray 89 similar samples on MalwareBazaar
TLSH T1DC95AE033F95816EFE5BF6335B2AA2D501B86E2C0332E55F16C439A9A9701615EFD323
TrID 89.6% (.MSI) Microsoft Windows Installer (454500/1/170)
8.7% (.MSP) Windows Installer Patch (44509/10/5)
1.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:msi signed

Code Signing Certificate

Organisation:PFO GROUP LLC
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-06-30T13:53:04Z
Valid to:2024-06-30T13:53:04Z
Serial number: 4ff7ae126e7a81a34c34b13d
Intelligence: 2 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ae65d943692b68895cfaf5dbffa02fa696d5fd6fb7f4f96274717d83ebeb5225
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
104
Origin country :
US US
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/444018/
Detection(s):
SecuriteInfo.com.Trojan.GenericFCA.Agent.99743.21739.21340.UNOFFICIAL
Create hunting rule

Gathering data
Verdict:
Suspicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3
Result
Threat name:
n/a
Detection:
malicious
Classification:
spyw.evad
Score:
41 / 100
Link:
https://www.joesandbox.com/analysis/1294816
Signature
Contains functionality to modify clipboard data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 1294816 Sample: 8smQ9pTKU1.msi Startdate: 22/08/2023 Architecture: WINDOWS Score: 41 6 msiexec.exe 8 19 2->6         started        9 msiexec.exe 5 2->9         started        file3 27 C:\Windows\Installer\MSI6D7.tmp, PE32 6->27 dropped 29 C:\Windows\Installer\MSI3E1A.tmp, PE32 6->29 dropped 11 msiexec.exe 5 6->11         started        process4 process5 13 Autoit3.exe 11->13         started        16 expand.exe 5 11->16         started        19 icacls.exe 11->19         started        21 icacls.exe 11->21         started        file6 31 Contains functionality to modify clipboard data 13->31 23 C:\Users\user\AppData\...\Autoit3.exe (copy), PE32 16->23 dropped 25 C:\...\91f58df64a514c47a681535ab36da3f1.tmp, PE32 16->25 dropped signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-08-03 21:44:28 UTC
File Type:
Binary (Archive)
Extracted files:
58
AV detection:
1 of 38 (2.63%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tj63aicii7jgkfpnespz5vlxeibsn5r2ojfc4d5wxmoyzuzvbcrq._file
Verdict:
malicious
Similar samples:
2eede34adc2a44e96acfdfb9f3dfba2df4ad17f9fdf76970ad02d5596c1a50a5
54f52ef506f6649c09838b9935aed223f0f320798e13fdb9541ffd1db3e08816
573d3e739227f741344484f94d246c23318ac5329bf739d4ec396e0d5acf2ffa
5b608a6729343cf8b6752d5bb201f906920fcb472f5949e04173b907f65ceff1
5be83d13f20b4a044a8c8281d13723a808555cdd73a7ddcec37422a4e44fbd4e
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
+ 79 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/230821-218z3sgh29/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.68
Link:
https://yomi.yoroi.company/submissions/9a7db0204847d26515ed249f9ed577220326f63a724a2e0fb6bb1d8cd33508a3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AutoIT_Script
Create hunting rule
Author:@bartblaze
Description:Identifies AutoIT script.
Rule name:DarkGate_MSI
Create hunting rule
Author:yarGen Rule Generator
Description:DarkGate MSI - file 5b608a6729343cf8b6752d5bb201f906920fcb472f5949e04173b907f65ceff1.msi
Reference:https://github.com/Neo23x0/yarGen
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/444018/

Comments