MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c46837174f6b770db91fb663d9670376cdfd54894daa19694537d1d6100013b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c46837174f6b770db91fb663d9670376cdfd54894daa19694537d1d6100013b1
SHA3-384 hash: 2bd832319b79a039d8d0f50107415c758d7f2a302905cc123ea18393bc2da914ddd082077c2e9d331f12fa5e1032e4fa
SHA1 hash: ae944bddd30fed4591f99c58675178aa383a8cbe
MD5 hash: 4088d3a7233dceb398316a235c42282d
humanhash: spring-red-lion-sink
File name:FACTURAS EMITIDAS.46.564.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:269'824 bytes
First seen:2021-09-20 05:34:32 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:Qm46fFq9m3DcYoAQwgz88ereWn/7w05g0ZXMcB3RUN46ILJ9+ZB5yOan8M:Qm4y33DcYoAh8er1nzTArXM
Threatray 137 similar samples on MalwareBazaar
TLSH T197447E06B3D5437AE4DB03721B8F93628A72EC788673812B1649750E2EF1554B7B73E2
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/189201/
Detection(s):
SecuriteInfo.com.RDMK.cmRtazpKxKzi0pVLtXUmAmezzdjf.17904.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-679.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.JS.Obfus-1914.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c46837174f6b770db91fb663d9670376cdfd54894daa19694537d1d6100013b1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/853742
Signature
Multi AV Scanner detection for submitted file
Uses dynamic DNS services
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c46837174f6b770db91fb663d9670376cdfd54894daa19694537d1d6100013b1/
Threat name:
Script-JS.Trojan.Bomber
Create hunting rule
Status:
Malicious
First seen:
2021-09-17 02:43:00 UTC
AV detection:
9 of 28 (32.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrudof2pnn3q3oi7wzr5szydo3g72vejjwvbs2kfg7i5meaacoyq._file
Verdict:
malicious
Similar samples:
050101efe78ce42e5221774b5bb1a6eed551cbf3892576b5f6bf3b80abf54441
Metamorfo
1a0a61ed57b4499b6272ca7d5941f474603225de82fe319a4dca3a82c1d25e29
Metamorfo
200ce9428c79c6ab77c106907a8456c9d06949a5f018696e077ae3e24d28db83
Metamorfo
2f5958ef72eab8ecb7d91cba766ea7324502fc70797f7668afa9dcc9fa7ab431
Metamorfo
3f145e6eb89b9f7f01080d21b89ea423b288eaa00c8d760e5cb40b6ef5e0b366
Metamorfo
7d032cf5a3ec4a12b99fcead2545988af15e654169c9a4074c3425be99c3188a
Metamorfo
9f0d3b49b6eea3eff22dce2838b10e8e3b03c45f31212f8d26ae31cd576f1104
Metamorfo
cb4f55308ba1f8617c00505983b42da10d704960a1dbef03075f370015f6f21b
Metamorfo
d12aaafe501c2895f40cdfb7704266cfb6b11ecb2e774f004eb35b336027b9b3
Metamorfo
d299d7ce8e47854b3f9d86dbe7acbfe76b248ac96c70ee90529f54219fa66f3b
Metamorfo
+ 127 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
macro xlm
Link:
https://tria.ge/reports/210920-f93c1adaf5/
Behaviour
Script User-Agent
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Metamorfo
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/c46837174f6b770db91fb663d9670376cdfd54894daa19694537d1d6100013b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/189201/

Comments