MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9
SHA3-384 hash: a02657cf90dcde979c87e9a9126b916e021e9d4f60795fe6685f3c6e1e51c7558e1f72d4785e469efdfc6a293a795923
SHA1 hash: d3f64f557039f3892c2c1f2c75766b678bb111e9
MD5 hash: 5e2ed411f2152ce2cfc11e0f256c6200
humanhash: tennis-bravo-mountain-carbon
File name:sefaz666-1i7yuc1fo8.msi
Download: download sample
File size:1'138'176 bytes
First seen:2021-11-17 15:17:10 UTC
Last seen:2021-11-17 16:29:17 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:AaY5AzjJDJdMxuqjFt86PFv/n28fxQnEGwO8FTKy1Z5gRSF:AaY5AzW7jFt86PF2EQFwO8FTKy1Z5gRS
Threatray 142 similar samples on MalwareBazaar
TLSH T1EB359E1171DACA3AC67F85307769DB2B10B97B9147B684DB23C40A1F4E788E241B3F66
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.JS.Trojan.Cryxos.6056.13515.6058.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive fingerprint monero
Link:
https://www.filescan.io/uploads/61951d2d2695a62af9f23eef/reports/cf24fa8d-a498-40f6-83fb-ba9bae7fc0e8/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/891355
Signature
Antivirus detection for dropped file
Connects to a pastebin service (likely for C&C)
Creates multiple autostart registry keys
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Opens network shares
PE file contains section with special chars
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses cmd line tools excessively to alter registry or file data
Uses shutdown.exe to shutdown or reboot the system
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523829 Sample: sefaz666-1i7yuc1fo8.msi Startdate: 17/11/2021 Architecture: WINDOWS Score: 100 81 Antivirus detection for dropped file 2->81 83 Multi AV Scanner detection for submitted file 2->83 85 Tries to detect sandboxes and other dynamic analysis tools (window names) 2->85 87 3 other signatures 2->87 9 msiexec.exe 9 31 2->9         started        12 8tdbL .exe 8 2->12         started        16 8tdbL .exe 2 2->16         started        18 3 other processes 2->18 process3 dnsIp4 59 C:\Windows\Installer\MSIDB8.tmp, PE32 9->59 dropped 61 C:\Windows\Installer\MSI8A6.tmp, PE32 9->61 dropped 63 C:\Windows\Installer\MSI7AB.tmp, PE32 9->63 dropped 71 2 other files (none is malicious) 9->71 dropped 20 msiexec.exe 4 11 9->20         started        75 stopshopping.net 18.118.83.161, 443, 49745 MIT-GATEWAYSUS United States 12->75 77 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49793 DROPBOXUS United States 12->77 79 4 other IPs or domains 12->79 65 C:\Users\user\AppData\...\imgengine.dll, PE32+ 12->65 dropped 67 C:\Users\user\AppData\Roaming\...\Dc3m9DF.exe, PE32+ 12->67 dropped 69 C:\Users\user\AppData\...\sptdintf.dll, PE32+ 12->69 dropped 103 Query firmware table information (likely to detect VMs) 12->103 105 Hides threads from debuggers 12->105 107 Tries to detect sandboxes / dynamic malware analysis system (registry check) 12->107 25 cmd.exe 1 12->25         started        file5 signatures6 process7 dnsIp8 73 shopwmstop.net 3.23.98.227, 443, 49742 AMAZON-02US United States 20->73 51 C:\userUV9Vo \imgengine.dll, PE32+ 20->51 dropped 53 C:\userUV9Vo.\8tdbL..exe (copy), PE32+ 20->53 dropped 55 C:\userUV9Vo \sptdintf.dll, PE32+ 20->55 dropped 57 3 other files (none is malicious) 20->57 dropped 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->91 93 Opens network shares 20->93 27 cmd.exe 1 20->27         started        30 cmd.exe 1 20->30         started        95 Uses cmd line tools excessively to alter registry or file data 25->95 32 reg.exe 1 1 25->32         started        34 conhost.exe 25->34         started        file9 signatures10 process11 signatures12 97 Uses cmd line tools excessively to alter registry or file data 27->97 99 Uses shutdown.exe to shutdown or reboot the system 27->99 36 reg.exe 1 1 27->36         started        39 conhost.exe 27->39         started        41 shutdown.exe 1 30->41         started        43 conhost.exe 30->43         started        101 Creates multiple autostart registry keys 32->101 process13 signatures14 89 Creates multiple autostart registry keys 36->89 45 conhost.exe 36->45         started        47 conhost.exe 36->47         started        49 conhost.exe 41->49         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9/
Threat name:
Script-JS.Trojan.Cryxos
Create hunting rule
Status:
Malicious
First seen:
2021-11-17 15:18:11 UTC
AV detection:
5 of 44 (11.36%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0e6ed4c85813787c140645637a3f8540534693cae1846de92d0e0412e38e7b8d
276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584
32d4a464dae9552b1a5aaf8b95c1f22d3f99ebd112245fa1a3719ad12fa26ed6
3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239
368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a
5ae367e0c04bddfcd66f59aaac45c1125abff2b1991752aa44157edc919b09c7
84783081ade87f5a4a1902a275eb66c7fe8ebef9e43cdd2d4527bdb1a5a51f04
a0ad03f70f1465a4cac3efa0fa48f7d26f181931da663eb117d70f9a2b980217
c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4
f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85
+ 132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211117-splwqsdbd8/
Behaviour
Modifies data under HKEY_USERS
Modifies registry key
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/adee061b8f1a879027c5fdb183aba13d2893764ee92178a7e14ce57018ea1cc9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/206901/

Comments