MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d
SHA3-384 hash: d5392630a57b05638b525db81807660e601ad9f1e141399ed9de0cfa6e68c23160d7e950e4fdeee605df9d76148ef75a
SHA1 hash: 02aa56247d63b6037e7adc4492d3f494fcbdf003
MD5 hash: f390d567bfebaecba7eb5a792ff6249b
humanhash: avocado-stairway-muppet-stairway
File name:z1Mb_NFEmitida1.msi
Download: download sample
File size:1'518'080 bytes
First seen:2023-04-20 12:20:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:/DA+gxxN9Y5OcW7LIJ1MXCOJ05YbswFbT52d7xLZrudIAL8wiUYT:/DHW9YDqbCOJ05Yb59QzLZrudIAITUI
Threatray 120 similar samples on MalwareBazaar
TLSH T14465BE223386C233C9AE01B01A2AD79B5579FDB24B3154DBA3C82D2F9DB44C25779F52
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter FXOLabs
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
109
Origin country :
BR BR
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/383765/
Detection(s):
SecuriteInfo.com.BAT.DownLoader.760.16462.14314.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
dde msiexec.exe shell32.dll
Link:
https://www.filescan.io/uploads/64412e312efbb8b9c3f531a2/reports/8271bb10-4ba6-45a8-acca-72aa495a5111/overview
Verdict:
Malicious
Link:
https://www.hybrid-analysis.com/sample/ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
rans.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1217986
Signature
Antivirus detection for dropped file
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Found potential ransomware demand text
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Suspicious powershell command line found
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses shutdown.exe to shutdown or reboot the system
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 850932 Sample: z1Mb_NFEmitida1.msi Startdate: 20/04/2023 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for dropped file 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 4 other signatures 2->59 7 cmd.exe 1 2->7         started        10 msiexec.exe 14 36 2->10         started        13 WPDShextAutoplay5507.exe 2->13         started        16 msiexec.exe 2 2->16         started        process3 dnsIp4 65 Suspicious powershell command line found 7->65 67 Bypasses PowerShell execution policy 7->67 18 powershell.exe 26 35 7->18         started        23 conhost.exe 7->23         started        25 cmd.exe 1 7->25         started        41 C:\Windows\Installer\MSI54BB.tmp, PE32 10->41 dropped 43 C:\Windows\Installer\MSI515C.tmp, PE32 10->43 dropped 45 C:\Windows\Installer\MSI50FD.tmp, PE32 10->45 dropped 47 3 other malicious files 10->47 dropped 69 Drops executables to the windows directory (C:\Windows) and starts them 10->69 27 msiexec.exe 10->27         started        29 MSI54BB.tmp 10->29         started        51 courtrek.pumzedydqxnxybwnoakbt.com 5.188.0.116, 443, 49703 GCOREAT United States 13->51 71 Query firmware table information (likely to detect VMs) 13->71 73 Tries to detect sandboxes and other dynamic analysis tools (window names) 13->73 75 Hides threads from debuggers 13->75 77 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->77 file5 signatures6 process7 dnsIp8 49 imprecstilligr.gelattssorvetes.com 173.82.57.36, 443, 49700, 49702 MULTA-ASN1US United States 18->49 33 C:\Users\user\AppData\...\sqlite.dll (copy), PE32 18->33 dropped 35 C:\Users\...\WPDShextAutoplay5507.exe (copy), PE32 18->35 dropped 37 C:\Users\user\AppData\Local\AMD64_\...\03, PE32 18->37 dropped 39 5 other files (1 malicious) 18->39 dropped 61 Uses shutdown.exe to shutdown or reboot the system 18->61 63 Powershell drops PE file 18->63 31 shutdown.exe 1 18->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d/
Threat name:
Script-BAT.Trojan.Batfuscator
Create hunting rule
Status:
Suspicious
First seen:
2023-04-20 08:17:41 UTC
File Type:
Binary (Archive)
Extracted files:
86
AV detection:
10 of 24 (41.67%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsf2glbh2poi7iho6sht2ppfamw7otouo3hqm2pzf7wnmf6e4egq._file
Verdict:
unknown
Similar samples:
04d87473c872231d983c1ba26e9c2d4e346d3853990a5746210dc74bfaccd833
24cd4865f03fcaa7b5e76245734a43309cae82e24843cd667ceb3c3d46aa3095
6c4cf7b175c499172b59d7f5f5ece3b6717345b6ea0b6e53d56b315516dd870e
7166dcc58ddaaa984ca15df83285a659443502c608c2290f3b4578b407e87d22
77b07db364c5c3c48d3078785b9fe9a6f3e6b7fcb0fa7212b9b8b1ecc0a229b1
841572da329176a7f23da214406a8c5d19c4107206df3d83bfcd8dd6dc906ecf
8a5a24a29f6dd98600724e6e19abf0ee2be65260233fabdcf35a01c61b981f11
9fc52a3f3062b09ef6fe25ceeead5bcf3f80c712e8468fe887a57fbe19884b2c
da7f9295ea96e5490723111c7aeb2263f724a550e4780b91af918b63d8c9ffbf
fad1b92b67d6509a5d114b43395bd428b8fff6b827198083f1abc801a9c78525
+ 110 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230420-pjbxsshg68/
Behaviour
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy WMI provider
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Microsoft Software Installer (MSI) msi ac8ba32c27d3dc8fa0eef48f3d3de5032df74dd476cf0669f92fecd617c4e10d

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/383765/

Comments