MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5
SHA3-384 hash: c16ae9c35ce858451007d8e8d541f2c4911d06ac766d141072bdbe3c7ea6e1b9b48da042cfbd92e229396bc0363342f2
SHA1 hash: 87a7137469282ebbdea48ee66ff0a46ad50deefa
MD5 hash: 9bc114c36b31b11466287b32d409e7ff
humanhash: william-vegan-hot-grey
File name:318418.114.50973.911629.msi
Download: download sample
File size:266'240 bytes
First seen:2021-11-26 06:07:04 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:o3spAtOImXwCGjtYNKbYO2gjpcm8rRuqpjCLw2loHUvU4yGxr53qM2a8KVTH07:oBtOIiRQYpgjpjew5LLyGx1qo8yHi
Threatray 12 similar samples on MalwareBazaar
TLSH T10C446B513BC9C13AD2AE063785BA9766363A7D310B30D0CF77947D6C9E306D2AA39352
Reporter JAMESWT_WT
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
148
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.OLE2.Alien.gen.25667.1630.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
fingerprint packed
Link:
https://www.filescan.io/uploads/61a0798f02c80febc2a9e7f1/reports/a7e917ac-aa89-4d5e-a8bd-60db644caa2e/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/896490
Signature
Antivirus detection for URL or domain
Obfuscated command line found
Sigma detected: Execution from Suspicious Folder
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious MSHTA Process Patterns
Suspicious powershell command line found
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528968 Sample: 318418.114.50973.911629.msi Startdate: 26/11/2021 Architecture: WINDOWS Score: 72 97 Antivirus detection for URL or domain 2->97 99 Sigma detected: Mshta Spawning Windows Shell 2->99 101 Sigma detected: Suspicious MSHTA Process Patterns 2->101 103 2 other signatures 2->103 12 msiexec.exe 3 14 2->12         started        15 msiexec.exe 5 2->15         started        process3 file4 87 C:\Windows\Installer\MSIFF7.tmp, PE32 12->87 dropped 17 msiexec.exe 5 12->17         started        process5 signatures6 93 Obfuscated command line found 17->93 20 cmd.exe 1 17->20         started        23 expand.exe 8 17->23         started        26 icacls.exe 1 17->26         started        28 3 other processes 17->28 process7 file8 105 Suspicious powershell command line found 20->105 107 Obfuscated command line found 20->107 30 cmd.exe 1 20->30         started        32 conhost.exe 20->32         started        34 cmd.exe 2 20->34         started        83 C:\...\f9775bd250ab8444b273736f63b149cd.tmp, PE32+ 23->83 dropped 85 C:\Users\user\AppData\...ap3Host.exe (copy), PE32+ 23->85 dropped 36 conhost.exe 23->36         started        38 conhost.exe 26->38         started        40 conhost.exe 28->40         started        42 conhost.exe 28->42         started        signatures9 process10 process11 44 mshta.exe 16 30->44         started        dnsIp12 91 ptailb.uythgfnbv.one 104.21.65.221, 49710, 80 CLOUDFLARENETUS United States 44->91 89 C:\Users\Public\Videos\...\in.exe, PE32 44->89 dropped 109 Obfuscated command line found 44->109 49 cmd.exe 1 44->49         started        52 cmd.exe 2 44->52         started        55 in.exe 1 44->55         started        57 6 other processes 44->57 file13 signatures14 process15 file16 95 Suspicious powershell command line found 49->95 59 powershell.exe 13 49->59         started        61 conhost.exe 49->61         started        63 timeout.exe 49->63         started        81 C:\Users\Public\lv, ASCII 52->81 dropped 65 conhost.exe 52->65         started        67 conhost.exe 55->67         started        69 conhost.exe 57->69         started        71 conhost.exe 57->71         started        73 conhost.exe 57->73         started        75 3 other processes 57->75 signatures17 process18 process19 77 conhost.exe 59->77         started        79 setupcl.exe 59->79         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5/
Threat name:
Document-OLE.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-11-26 06:05:05 UTC
File Type:
Binary (Archive)
Extracted files:
28
AV detection:
2 of 45 (4.44%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
41da210f64e2b009aaf03e96b2de701a30222faee25e38c6fbbaf958c84f680b
43202b6bcac9d8c195da84abee91ebd15ee80337421dc6e0eaa1c2e1481bb123
7d9ab1a869c3a874b19fbc8c98bfa40dab39e97cbfaeb4d057912c3549124f4d
85ac0e8244160430f8ca3d4fb031180ccf656a2d524a8fc2c828379c1c7b9e5f
b9f91a108d61f586d76de0da7314c50074b2574bc6bceda176d2bf3b33d905d8
d0003c908fdb5d830ecf51ce698e757f920a776d639e731b6a7472122e02b23d
dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722
fac18345a874ee1b8519072453f8b9ed6142406f5630748be821a17939da302d
+ 2 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery
Link:
https://tria.ge/reports/211126-gvw34seaf5/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bce48ec3b802/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/bce48ec3b80249139b88d43fef0b6f99aab42c80c1d8fc09b20d721a285825d5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/209581/

Comments