MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99
SHA3-384 hash: 6f19c4a78a17e961f6caecf4b385230a79bf8468330d872a3e48e25b8fdc9990afdd8d787431a60533d549f161eda01c
SHA1 hash: c93faf26921c337097d0eae6c19aef14543a3af5
MD5 hash: c80be0007d8734d4062f1bbb4bed6d11
humanhash: echo-arizona-lake-network
File name:Setup (1).msi
Download: download sample
File size:4'648'960 bytes
First seen:2024-05-02 07:23:39 UTC
Last seen:2024-05-02 08:30:13 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:quqUitd+vszAlozTy4g5q8+5eNBA8j2WfWW9CdDLwYj0A58V3cQ3azCHknkQRAYN:HihTymWjXEjCDvk5gU9mcZbg6QI
Threatray 127 similar samples on MalwareBazaar
TLSH T1DC26AE21BA8AC136E67E41729A68EB6B65797EF20B7144CB73DC3C6A0E704C15271F07
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter likeastar20
Tags:Adware msi PUP signed

Code Signing Certificate

Organisation:Dragon Boss Solutions LLC
Issuer:GlobalSign GCC R45 CodeSigning CA 2020
Algorithm:sha256WithRSAEncryption
Valid from:2023-12-04T15:11:35Z
Valid to:2026-12-04T15:11:35Z
Serial number: 7375c0d80a6d42c30f864a9e
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: ffcf7a0a63ae106ced1e6f36d6a7065427565c7e0d931a17a01df398b16351d9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
169
Origin country :
RO RO
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Badmacro.Doc.pshel.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm CAB evasive fingerprint installer lolbin msiexec remote shell32
Link:
https://www.filescan.io/uploads/66333f94ddaf2da10307091e/reports/b376b847-6013-48b7-be1c-cdbdca96594a/overview
Verdict:
Malicious
Labled as:
DragonBossSolutions.B potentially unwanted application
Link:
https://www.hybrid-analysis.com/sample/bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1435208
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Contains functionality to detect sleep reduction / modifications
Loading BitLocker PowerShell Module
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Chromium Browser Instance Executed With Custom Extension
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected MalDoc
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435208 Sample: Setup (1).msi Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 101 sni1gl.wpc.nucdn.net 2->101 103 secure.artificius.com 2->103 105 2 other IPs or domains 2->105 127 Multi AV Scanner detection for domain / URL 2->127 129 Antivirus detection for URL or domain 2->129 131 Multi AV Scanner detection for dropped file 2->131 133 4 other signatures 2->133 10 msiexec.exe 17 34 2->10         started        13 msedge.exe 2->13         started        16 msiexec.exe 16 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 83 C:\...\ArtificiusUpdater.exe, PE32 10->83 dropped 85 C:\Windows\Installer\5dfbef.msi, Composite 10->85 dropped 87 C:\Windows\Installer\MSIFFB8.tmp, PE32 10->87 dropped 95 10 other files (none is malicious) 10->95 dropped 21 msiexec.exe 45 10->21         started        24 msiexec.exe 1 10->24         started        27 msiexec.exe 2 10->27         started        141 Maps a DLL or memory area into another process 13->141 29 msedge.exe 13->29         started        32 msedge.exe 13->32         started        34 identity_helper.exe 13->34         started        36 identity_helper.exe 13->36         started        89 C:\Users\user\AppData\Local\...\MSIF37D.tmp, PE32 16->89 dropped 91 C:\Users\user\AppData\Local\...\MSIF34E.tmp, PE32 16->91 dropped 93 C:\Users\user\AppData\Local\...\MSIF32D.tmp, PE32 16->93 dropped 97 8 other files (none is malicious) 16->97 dropped 107 artificiusbrowser.com 3.33.130.190, 443, 49733 AMAZONEXPANSIONGB United States 18->107 109 127.0.0.1 unknown unknown 18->109 38 chrome.exe 18->38         started        40 chrome.exe 18->40         started        file6 signatures7 process8 dnsIp9 73 C:\Program Files (x86)\...\scr9D25.ps1, Unicode 21->73 dropped 75 C:\Program Files (x86)\...\scr42F.ps1, Unicode 21->75 dropped 77 C:\Program Files (x86)\...\pss9D37.ps1, Unicode 21->77 dropped 79 C:\Program Files (x86)\...\pss440.ps1, Unicode 21->79 dropped 42 powershell.exe 3 27 21->42         started        45 powershell.exe 14 21->45         started        48 powershell.exe 21->48         started        50 2 other processes 21->50 81 C:\Users\user\AppData\Local\Temp\viewer.exe, PE32 24->81 dropped 135 Bypasses PowerShell execution policy 24->135 121 part-0012.t-0009.t-msedge.net 13.107.213.40, 443, 49768 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 29->121 123 142.251.35.174, 443, 49765 GOOGLEUS United States 29->123 125 7 other IPs or domains 29->125 file10 signatures11 process12 dnsIp13 137 Tries to harvest and steal browser information (history, passwords, etc) 42->137 139 Loading BitLocker PowerShell Module 42->139 53 chrome.exe 42->53         started        56 conhost.exe 42->56         started        99 C:\Users\user\AppData\Local\...\Preferences, JSON 45->99 dropped 58 conhost.exe 45->58         started        60 msedge.exe 48->60         started        62 conhost.exe 48->62         started        111 secure.artificius.com 172.67.132.219, 443, 49734, 49735 CLOUDFLARENETUS United States 50->111 64 conhost.exe 50->64         started        66 conhost.exe 50->66         started        file14 signatures15 process16 dnsIp17 117 192.168.2.4, 138, 443, 49723 unknown unknown 53->117 119 239.255.255.250 unknown Reserved 53->119 68 chrome.exe 53->68         started        71 msedge.exe 60->71         started        process18 dnsIp19 113 www3.l.google.com 142.251.41.14, 443, 49745 GOOGLEUS United States 68->113 115 chrome.google.com 68->115
Score:
11%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99/
Threat name:
Win32.PUA.Generic
Create hunting rule
Status:
Suspicious
First seen:
2023-12-15 02:14:04 UTC
File Type:
Binary (Archive)
Extracted files:
98
AV detection:
14 of 24 (58.33%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xvrnhaeo6kofk7ngjnasyrbcsnngihbc4k647zisrslpf723l2mq._file
Verdict:
unknown
Similar samples:
089a1d6ed708219b604ab7fdd2a9bd7cb28725799f9530089ea7d941a94c6bf5
16a11d885f34f4bb1efd610f77264287ae7b0d2504ff486cd5287fb9be5ecc0b
3aaeda2f9d9086b9960c4d19e18fbd3b0033de7fc43dbf3b647f70a9ac0926f2
56f2f2548297d7b72af40b7898d1dabe2dcb8090388985b218f4452d1a9c6ebf
78f865bc8012ac787408ecce89cc8c6dbc294ebf929c62283c39504d9b1eee2c
7f16cb7b70229203d4a5c342f622ba961d97d7b2c55ed9ce6cb9ba977971e5c5
b029b40badab029cbd916ab2e5147e9f01abd147e1bf9e5ed1564ee44a0d087f
f14401a595ad551015bce9e8eeaa8f80f2294f8767b654a5650da0f314de5255
+ 117 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/240502-h8ddlacc2y/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Drops file in Program Files directory
Drops file in Windows directory
Loads dropped DLL
Drops file in System32 directory
Blocklisted process makes network request
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments