MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7
SHA3-384 hash: c0f628de27358143f768846165b4b01a3b9434e5588c42918bc61a78ea77b8b34a648d30c8d4d493c0eda8d827e0bacf
SHA1 hash: c3a20fc994f07550ad31e70f4427ca8462c98d89
MD5 hash: 4dc206376309a1f3012a28c03e9fb436
humanhash: hydrogen-kentucky-foxtrot-maine
File name:4dc206376309a1f3012a28c03e9fb436.msi
Download: download sample
File size:2'429'440 bytes
First seen:2023-02-01 15:08:20 UTC
Last seen:2023-02-01 17:36:55 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:19JYUMV3eVougTzAFPsJ6ma8zotlmfwrgxMy+y29IAan6Dr24vLNgmUESIEjPMNI:9YUMV399AlAfwrtyF4veHjPMNaX
Threatray 309 similar samples on MalwareBazaar
TLSH T1CEB58C2275C5C632EA6F4330652ADB7B61F97EE0377340DB63D8962E0E719C04276E92
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/359090/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Downloader.OLE2.Powedon.gen.27049.22270.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
60%
Tags:
anti-vm evasive fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/63da80912d4f6d560e23f1e3/reports/32f295df-fefe-47e7-af19-7ee1583304c5/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
clean
Classification:
n/a
Score:
3 / 100
Link:
https://www.joesandbox.com/analysis/1163671
Behaviour
Behavior Graph:
n/a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=welb3tohcszhnkc7oe7o7d3v3w6mg3n35zwprhndmje7qyh7th3q._file
Verdict:
unknown
Similar samples:
1b1aa08061f3e879248ffbacec5020b930c90ab08ce1b29544141423efe52e1f
5891f1e63bc47a21f3df375098ed5e1d52260da8b8b2131ef9cbdee718b8d756
5e0d8d9ae9094177d5d0c0626ab013a7e17155cf37171b63f70622758dc9a614
647d9d0d509ff57f5dc443e51e1ea37ad8322566ea94382a152f29bab5d0f5e1
87a9a52901739befc81b1c7e9c9deec4222a8023ef8f4ee0068413f7e9076a54
a0133fc64c0bb7215aaa57c142357070d2d2f782039c3b4191786ad3fbd224cf
a47b9620bc4af6acd508e2c257b5b817ed2335685d593cb0becdab15ffda5147
d5370c76769237e9d5200c66690ae6f34e1b785fc37dad57d72e839218d5fb58
dc2666c86b512a0b4455943b1275a628e2d4f64a45f20ff8ad3fc58f4ceda057
e2d20d55d2028393833af36dec30320b5b5419d1b3c223d62937f65470324a72
+ 299 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230201-sjfsjaac47/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi b1161dcdc714b276a85f713eef8f75ddbcc36dbbee6cf89da36249f860ff99f7

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/2525183/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2525187/
Cape
Cape
https://www.capesandbox.com/analysis/359090/

Comments