MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 9


Intelligence 9 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2
SHA3-384 hash: e85e07e51c994dc9ea5621524b32612760387a7208e82c232e4ea4f73ce96b5e0ae6e6944478bdae70e0d43cbc1edc45
SHA1 hash: 88fb3e5cc85f2a5dac2e3664dcff4bc06b56e514
MD5 hash: 089837dcec622306655e29854c6e0dd2
humanhash: aspen-muppet-south-hydrogen
File name:4ed18d.msi
Download: download sample
File size:299'520 bytes
First seen:2024-04-11 23:50:15 UTC
Last seen:2024-04-12 00:29:29 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:Bfaz97NIA+/WQx5TYD9yOePnhhCVwgz88ereWn/7w05g0y9FY5Adt7b3DJ68aPNF:IUdhCg8er1nzTgY5AdN3DgL8
Threatray 312 similar samples on MalwareBazaar
TLSH T17D545B06B2D74275ECE70231169B93328A7DEE7496E2C32A174976092DF1354B7E32F2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter smica83
Tags:HUN msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
HU HU
Vendor Threat Intelligence
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm fingerprint lolbin packed packed remote shell32
Link:
https://www.filescan.io/uploads/661877670b46b30369330062/reports/a7dd277c-345b-423f-91ac-0ad824c4eda3/overview
Verdict:
Malicious
Labled as:
JS/Dldr.Agent
Link:
https://www.hybrid-analysis.com/sample/b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
VMdetect
Create hunting rule
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1424820
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AntiVM
Yara detected VMdetect
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1424820 Sample: 4ed18d.msi Startdate: 12/04/2024 Architecture: WINDOWS Score: 84 39 www.google.com 2->39 41 berazategui.is-a-geek.com 2->41 47 Antivirus detection for dropped file 2->47 49 Antivirus / Scanner detection for submitted sample 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 2 other signatures 2->53 9 msiexec.exe 10 36 2->9         started        12 msiexec.exe 2 2->12         started        signatures3 process4 file5 29 C:\Windows\Installer\MSI341A.tmp, PE32 9->29 dropped 31 C:\Windows\Installer\MSI330F.tmp, PE32 9->31 dropped 33 C:\Windows\Installer\MSI3234.tmp, PE32 9->33 dropped 35 2 other malicious files 9->35 dropped 14 msiexec.exe 2 5 9->14         started        process6 dnsIp7 43 www.google.com 142.251.41.4, 49730, 80 GOOGLEUS United States 14->43 37 C:\Users\user\AppData\Local\Temp\lc1CA2.tmp, PE32 14->37 dropped 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->45 19 cmd.exe 2 14->19         started        21 cmd.exe 2 14->21         started        23 lc1CA2.tmp 14->23         started        file8 signatures9 process10 process11 25 conhost.exe 19->25         started        27 conhost.exe 21->27         started       
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2/
Threat name:
Script-JS.Trojan.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2024-03-25 16:23:22 UTC
File Type:
Binary (Archive)
Extracted files:
22
AV detection:
8 of 23 (34.78%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wclblqjk64vashytlwacabqhmucyyilfg6lousk7silqlr3puwza._file
Verdict:
malicious
Similar samples:
2d94fd6ffb4d714e7f941050ada91b1b0473171a7afef2e9fedbff1a296f5b94
514d1b93b380bcb7967848525a92df05983a9e02df925a61f5592ce3a887af54
52011338415ad95fd442cd18adc72db52c3a01e15039b5405c8456046365bd0c
661e0c31acf912171fbc97e3943fb618ca1cc689dbb17be209c9de8cb4809c37
675bfec1571822204ba946375e1912bcd56126ea3f018b5c567269ff1141bf1d
77455163378d89a98833a8278b82b549405a8c855a62657f850b20ecb05f1f42
87bef8251b58877442c0b4d9be6b126b9a64972eea54427652ec9646724309c0
9f8f58faadcda3b49e371c1ae353b30b3713652b0ad8d05b57383142757a74d0
e0dba262d018d907cb5cc298984f5a68053495e1e40077c6f93346fd0c76cce0
e818cdd24707acc4f083327b32d2d7f1f90c1924b9640f4099b8159368c93a6b
+ 302 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240411-3v5k5scd2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CMD_Shutdown
Create hunting rule
Author:adm1n_usa32
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments