MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
SHA3-384 hash: 780952227c026d11dd309b6687fc057af499de427908d510aa4bc5779b9461b073dd2d8943ad1ca0ed6115a0cf5bf365
SHA1 hash: 3d3135b87fe274988b86f50d24bde82cc08556bf
MD5 hash: ebae9b70769458cf723022ec89b95c32
humanhash: sierra-oregon-diet-quiet
File name:claro.596166.msi
Download: download sample
File size:2'085'376 bytes
First seen:2024-03-19 07:16:08 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:J3osY5A6b4ms+4UhbrMizYiRpb2mN3rm999OhjY:hY5A6bDhbrfzYiRNdm+
Threatray 307 similar samples on MalwareBazaar
TLSH T15EA5230BF2C55B36E8DB06311B4F97298A71AC3496228A2B564D560E3DF16B0F7F32D1
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
NL NL
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint guloader lolbin packed remote shell32
Link:
https://www.filescan.io/uploads/65f93befc1137bbf149e82ce/reports/b314d238-55ec-4f2b-8d84-1b87435cd96b/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.expl.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/1411471
Signature
Antivirus detection for dropped file
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Performs DNS queries to domains with low reputation
Sigma detected: Drops script at startup location
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1411471 Sample: claro.596166.msi Startdate: 19/03/2024 Architecture: WINDOWS Score: 88 54 sslsegurahttpp.xyz 2->54 56 us-east-1.route-1.000webhost.awex.io 2->56 58 clubdos40santista.000webhostapp.com 2->58 64 Antivirus detection for dropped file 2->64 66 Multi AV Scanner detection for submitted file 2->66 68 Sigma detected: Drops script at startup location 2->68 72 2 other signatures 2->72 8 msiexec.exe 10 37 2->8         started        11 cmd.exe 1 2->11         started        14 msiexec.exe 3 2->14         started        signatures3 70 Performs DNS queries to domains with low reputation 54->70 process4 file5 42 C:\Windows\Installer\MSI63F1.tmp, PE32 8->42 dropped 44 C:\Windows\Installer\MSI6363.tmp, PE32 8->44 dropped 46 C:\Users\user\Pictures\msedge_elf.dll, PE32 8->46 dropped 48 C:\Users\user\AppData\...\identity_helper.cmd, ASCII 8->48 dropped 16 msiexec.exe 19 8->16         started        74 Uses cmd line tools excessively to alter registry or file data 11->74 21 cmd.exe 1 11->21         started        23 cmd.exe 1 11->23         started        25 conhost.exe 11->25         started        signatures6 process7 dnsIp8 50 sslsegurahttpp.xyz 95.164.32.123, 49704, 80 NASSIST-ASGI Gibraltar 16->50 52 us-east-1.route-1.000webhost.awex.io 145.14.144.17, 49705, 80 AWEXUS Netherlands 16->52 34 C:\ProgramData\...\vcruntime140.dll, PE32 16->34 dropped 36 C:\ProgramData\...\twe06T4h.4Jz.exe (copy), PE32 16->36 dropped 38 C:\ProgramData\twe06T4h.4Jz\python311.dll, PE32 16->38 dropped 40 C:\ProgramData\twe06T4h.4Jz\python.dll, PE32 16->40 dropped 60 Hides threads from debuggers 16->60 27 twe06T4h.4Jz.exe 1 2 16->27         started        62 Uses cmd line tools excessively to alter registry or file data 21->62 30 reg.exe 1 21->30         started        32 reg.exe 1 1 23->32         started        file9 signatures10 process11 signatures12 76 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 27->76
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6hvr6vnzwr3jhrxdqnogu5tbm3rgzjlblmnaw2xhayue5l2otia._file
Verdict:
malicious
Similar samples:
0ea1b0e18ecbb2c5f1dd4e77866b087fcce95a985f14ff281658d4bcc2d7c657
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
6600209fd8059c2bc8e993b1db44fbf3063de9c5342d4d74966b86f65e91c60e
83355a82abf8feb73cf733551b778e2465f165a73df95318a6c6f003a3e00d79
efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99
+ 297 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/240319-h4c72adc49/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Blocklisted process makes network request
Enumerates connected drives
Drops startup file
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/9f8f58faadcd/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments