MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9419212183e9e1f580d0de9dc600ee6bb53be32bb4363b8ca06631f040d228a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	b9419212183e9e1f580d0de9dc600ee6bb53be32bb4363b8ca06631f040d228a
SHA3-384 hash:	b46948e0bae4b980cc9a2f087e8053539a08ae66aa514af32e836e8287e20924e5bc6243b17201c2b879f51d7dabfd41
SHA1 hash:	cdac281008e396c91984776373a63e28c88f0df8
MD5 hash:	f6f1795304a9622c750a9110763e3751
humanhash:	three-uncle-five-bakerloo
File name:	GDTGz3GXCiNgYwtXT6qX3tY8eu8Mqj.msi
Download:	download sample
File size:	2'494'464 bytes
First seen:	2021-07-06 01:56:14 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	49152:v9lHY5AEbTy9U9tSVdjh97eaoOHywdlX5SFkH:zY5AEbTy9MqjP7e2llJSFW
Threatray	43 similar samples on MalwareBazaar
TLSH	BEB5C121937639D8EA77A3BFA5E94FD08111F4F4E008DA2B237C2BA55ED125931B3943
Reporter	Anonymous
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/169824/

Result

Verdict:

UNKNOWN

Link:

https://labs.inquest.net/dfi/sha256/b9419212183e9e1f580d0de9dc600ee6bb53be32bb4363b8ca06631f040d228a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

52 / 100

Link:

https://www.joesandbox.com/analysis/812012

Signature

Multi AV Scanner detection for submitted file

Uses dynamic DNS services

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9419212183e9e1f580d0de9dc600ee6bb53be32bb4363b8ca06631f040d228a/

Threat name:

Win32.Infostealer.Amavaldo

Status:

Malicious

First seen:

2021-07-05 18:17:50 UTC

AV detection:

4 of 46 (8.70%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xfazeeqyh2pb6wanbxu5yyao425vhprsxnbwhogkazrr6banekfa._file

Verdict:

malicious

1324b9aeace50c4bce3210f3fb553dfab6a8bc3efef016b8d186ca3ebc2f0dc8

2131f107d3c701344f650d0413fa83ee2112247d3f2bcff2c5ab6c2de5932f88

290be786e9b514117ebe2990be52172345a6866f0b2e8cca6ea1b3c41ade4d6e

644fc67e8921ac3bb0c6340dde0f49ce2ffea88771243671ab46ee646148651f

84a7ddb0c6e7adc2c3957c55995ac62ef60d3400d6dd2c538e7b5cfeda960a42

8cb6d0ac34d090ebf86cc3b0fb51dc57b89b2429627dd15170b29ee29d02ad08

975cd8e2eb0ded6996c8fc026b29bed2a937407db6d0e9fc2147f8f41f55ceb4

9f0d3b49b6eea3eff22dce2838b10e8e3b03c45f31212f8d26ae31cd576f1104

f1b53f5353fa9ba6ddce5df301e28b5c68947f032463c220d163d03ab95832ef

+ 33 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

upx

Link:

https://tria.ge/reports/210706-cxjamx524a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Executes dropped EXE

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.25

Link:

https://yomi.yoroi.company/submissions/b9419212183e9e1f580d0de9dc600ee6bb53be32bb4363b8ca06631f040d228a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Adsterra_Adware_DOM Create hunting rule
Author:	IlluminatiFish
Description:	Detects Adsterra adware script being loaded without the user's consent

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/169824/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample