MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0
SHA3-384 hash: 50c6c5d5ff559ce18d115c90b4c1c87c1a0154e4edd5d17d79809ab613fa97cc9568b984aebab4e5037fae4884872128
SHA1 hash: dd074624af1b8a6f47c3b5d30671c555d375e476
MD5 hash: 0633019cf4a7efed20e27db8d63c4df9
humanhash: xray-nebraska-lamp-vegan
File name:612b6d.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:102'400 bytes
First seen:2022-06-01 13:15:00 UTC
Last seen:2022-06-01 13:24:45 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 768:+s2vqGutLMoWiKOyvTTDsfkFmuxfkfccUWnVhvlsyWMDCTyWMDC0Yifxj:/RMTiyTvjFm8kfM2Vo0D80DZ7fx
Threatray 71 similar samples on MalwareBazaar
TLSH T1D5A392D120538B23C090823B4199F7660FA17E294BD19ED2D6EC72E4D537C576EFAC8A
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware signed

Code Signing Certificate

Organisation:Foresee Consulting Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-24T00:00:00Z
Valid to:2022-11-23T23:59:59Z
Serial number: 0bc0f18da36702e302db170d91dc9202
Intelligence: 37 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 904c0e30b8cb190bc90530f5c34f10394bebb4098701c0f2f6f1b33d3aab86a9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
382
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276082/
Detection(s):
SecuriteInfo.com.Trojan.Siggen16.38882.1389.24738.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/1005061
Signature
Antivirus / Scanner detection for submitted sample
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637556 Sample: 612b6d.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 80 91 Antivirus / Scanner detection for submitted sample 2->91 93 Multi AV Scanner detection for dropped file 2->93 95 Multi AV Scanner detection for submitted file 2->95 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 73 C:\Windows\Installer\MSI6041.tmp, PE32+ 10->73 dropped 15 msiexec.exe 4 10->15         started        process5 file6 75 C:\Users\user\Desktop\WUTJSCBCFX.docx, data 15->75 dropped 77 C:\Users\user\Desktop\...\ZBEDCJPBEY.xlsx, data 15->77 dropped 79 C:\Users\user\Desktop\BPMLNOBVSB.pdf, data 15->79 dropped 81 C:\Users\user\Documents\...\ZBEDCJPBEY.jpg, DOS 15->81 dropped 83 Modifies the context of a thread in another process (thread injection) 15->83 85 Maps a DLL or memory area into another process 15->85 87 Creates a thread in another existing process (thread injection) 15->87 89 Modifies existing user documents (likely ransomware behavior) 15->89 19 sihost.exe 2 15->19 injected 21 svchost.exe 1 4 15->21 injected 23 svchost.exe 15->23 injected signatures7 process8 process9 25 cmd.exe 1 19->25         started        27 cmd.exe 19->27         started        29 regsvr32.exe 2 19->29         started        31 cmd.exe 21->31         started        33 cmd.exe 21->33         started        35 regsvr32.exe 21->35         started        37 cmd.exe 23->37         started        39 cmd.exe 23->39         started        41 regsvr32.exe 23->41         started        process10 43 fodhelper.exe 1 15 25->43         started        45 conhost.exe 25->45         started        47 fodhelper.exe 12 27->47         started        49 conhost.exe 27->49         started        55 2 other processes 31->55 57 2 other processes 33->57 51 fodhelper.exe 12 37->51         started        53 conhost.exe 37->53         started        59 2 other processes 39->59 process11 61 regsvr32.exe 43->61         started        63 regsvr32.exe 47->63         started        65 regsvr32.exe 51->65         started        67 regsvr32.exe 55->67         started        69 regsvr32.exe 57->69         started        71 regsvr32.exe 59->71         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0/
Threat name:
Win64.Ransomware.Magniber
Create hunting rule
Status:
Malicious
First seen:
2022-05-02 20:43:15 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
19 of 41 (46.34%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yyeanvutaebxispotqbf6cs5uyzfib6rpxufgadxf2tfm2gjalqa._file
Verdict:
malicious
Similar samples:
109465a5f8aa3c322d7d63922acb1cbd66579840c9053e2bc641f9c26b439bb3
Magniber
19867586298dba124d760385b87a113884fb785c3e704d288cbdec73e3000fca
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Magniber
fb38ca9105614973ddaabc6ce76068be002a4b69a9f801e2cc5b962f84ffab7b
Magniber
+ 61 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence ransomware
Link:
https://tria.ge/reports/220601-qg8dnacdfl/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Modifies extensions of user files
Deletes shadow copies
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.48
Link:
https://yomi.yoroi.company/submissions/c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276082/

Comments