MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
SHA3-384 hash: cb739f9b2e160c0cf1645fce7d2f62e3963eeafbc5bc8a10673a7af1dbd1815ba9d54641b41c0842ef488f3757176265
SHA1 hash: 2394974e832831f0c9a3e38fe3706cf7e2c2fa94
MD5 hash: b07dee479dd11163d584db2aa86e9c45
humanhash: london-item-five-iowa
File name:9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
Download: download sample
File size:36'786'688 bytes
First seen:2024-05-22 01:11:18 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 786432:Wlw27h2QVu9cCct5rB9rIX9gW6cnzELhEe2x53gp7fq2xX:WlLA+ptO2Cnne2xU7fq2
TLSH T1808722126B9A99EAFA377237607B6BC6016E7CE1037205C7276137399EF69E30135423
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter johnk3r
Tags:ev msi signed

Code Signing Certificate

Organisation:Reviihuray Communication Technology Co., Ltd.
Issuer:GlobalSign GCC R45 EV CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2024-05-17T10:56:49Z
Valid to:2025-05-16T08:01:26Z
Serial number: 424dae86e4d976f2ec31fa76
Cert Central Blocklist:This certificate is on the Cert Central blocklist
Thumbprint Algorithm:SHA256
Thumbprint: 602fc7ad0105d936721ac6498d80f702e8d72933224162fb68ce9b34306e2177
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
90.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=664d466125570c503d850000win7simulatehigh_evasion
Tags:
Network Dldr
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
Result
Threat name:
n/a
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1445456
Signature
Antivirus detection for dropped file
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Multi AV Scanner detection for submitted file
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Behaviour
Behavior Graph:
Download SVG
Score:
95%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=txqsudxmyvcuqm4ddhaqno3xzjkjnqno3qut2iw4tfhlmg453gca._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  10/10
Tags:
execution
Link:
https://tria.ge/reports/240522-bkhvvaff38/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: PowerShell
Program crash
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Enumerates connected drives
Malware Config
Dropper Extraction:
https://opensun.monster/1305.bs64
Verdict:
Malicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/15426a0e-052a-474e-ac98-649a73929595
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Microsoft Software Installer (MSI) msi 9de12a0eecc54548338319c106bb77ca5496c1aedc293d22dc994eb61b9dd984

(this sample)

PowerShell (PS) ps1 33eb19b9fbe388460db541fb337ed4aebcb3c7b3553398f040efa9a504644d24

  
X
https://x.com/johnk3r/status/1790387254315118707
  
Dropping
SHA256 33eb19b9fbe388460db541fb337ed4aebcb3c7b3553398f040efa9a504644d24
  
Dropping
MD5 42359fd36b72dd467e64629a4de86bda

Comments