MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff
SHA3-384 hash: 9a74f38f690f57323520a7c086f47533b207f65f03a7448ac2b849e0eadb51866b07a60eac0ea342a37ac21a884f48c8
SHA1 hash: 0366e76a6d67da811922b2be553f0901126ffab8
MD5 hash: d833ede15b113ee3e51a9aa3a0e33b57
humanhash: harry-glucose-kilo-hamper
File name:NFE_5394.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:576'000 bytes
First seen:2022-02-09 14:40:55 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:PtRhfYBowv43bqKlRH1Vq9iyXHA/PJGCN:PtRZYBowvitjVqoAHA/P
Threatray 11 similar samples on MalwareBazaar
TLSH T1F1C49E2172DAC936C87F06B06D3EC79A56697D6447F2C4EB13C86D1E0DB39C15232EA2
Reporter abuse_ch
Tags:BRA geo MetaMorfo msi


Avatar
abuse_ch
Metamorfo payload URLs:
http://13.58.89.178//vaafrw//OIUYTREWFGNLJFD.gif
http://13.58.89.178//vaafrw//YTREDFBNJHGFXCC.png

Metamorfo C2:
http://13.58.89.178/contador/serv.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
155
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/239601/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe remote.exe shell32.dll update.exe
Link:
https://www.filescan.io/uploads/6203d286c79b424d720b31c1/reports/5b22012f-3d39-4f6a-94b9-0a6d17ed0369/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/937185
Signature
Antivirus detection for URL or domain
Connects to a pastebin service (likely for C&C)
Detected VMProtect packer
Downloads files with wrong headers with respect to MIME Content-Type
Hides threads from debuggers
Machine Learning detection for dropped file
Multi AV Scanner detection for domain / URL
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Execution from Suspicious Folder
Sigma detected: Suspicious Program Location with Network Connections
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction which cause usermode exception
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 569660 Sample: NFE_5394.msi Startdate: 09/02/2022 Architecture: WINDOWS Score: 100 47 pastebin.com 2->47 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 9 other signatures 2->59 8 msiexec.exe 3 17 2->8         started        11 nQG6eUF1xFF6dXG6sMG3cXD3.exe 2->11         started        14 msiexec.exe 3 2->14         started        16 nQG6eUF1xFF6dXG6sMG3cXD3.exe 2->16         started        signatures3 process4 file5 39 C:\Windows\Installer\MSIF19.tmp, PE32 8->39 dropped 41 C:\Windows\Installer\MSI146B.tmp, PE32 8->41 dropped 43 C:\Windows\Installer\MSI1303.tmp, PE32 8->43 dropped 45 C:\Windows\Installer\MSI11D9.tmp, PE32 8->45 dropped 18 msiexec.exe 1 16 8->18         started        65 Tries to evade analysis by execution special instruction which cause usermode exception 11->65 67 Tries to detect virtualization through RDTSC time measurements 11->67 69 Hides threads from debuggers 11->69 signatures6 process7 dnsIp8 49 13.58.89.178, 49758, 49815, 80 AMAZON-02US United States 18->49 27 C:\Users\user\...\OIUYTREWFGNLJFD[1].gif, PE32 18->27 dropped 29 C:\Users\Public\Documents\expatai.dll, PE32 18->29 dropped 31 C:\Users\Public\...\8 CDUDKKIF ZA 6D  U .exe, PE32 18->31 dropped 33 C:\Users\user\...\YTREDFBNJHGFXCC[1].png, PE32 18->33 dropped 22 8 CDUDKKIF ZA 6D  U .exe 1 7 18->22         started        file9 process10 dnsIp11 51 pastebin.com 104.23.98.190, 443, 49775, 49818 CLOUDFLARENETUS United States 22->51 35 C:\Users\...\nQG6eUF1xFF6dXG6sMG3cXD3.exe, PE32 22->35 dropped 37 C:\Users\user\AppData\Local\...\expatai.dll, PE32 22->37 dropped 61 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->61 63 Hides threads from debuggers 22->63 file12 signatures13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c7acc959e7dab12dd53aebb53fd10e05f0e201f0b348bed7bc5136a1463ca7ff/
Threat name:
Script.Downloader.SLoad
Create hunting rule
Status:
Malicious
First seen:
2022-02-09 14:41:12 UTC
File Type:
Binary (Archive)
Extracted files:
54
AV detection:
3 of 43 (6.98%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y6wmswph3kys3vj25o2t7uioaxyoeapqwnel5v54ke3kcrr4u77q._file
Verdict:
unknown
Similar samples:
153a5a770e7594794ce3ac19121c1ad44edc6acdf4e4ae6d77adbd964ae6609e
Metamorfo
156918efc8e657852589588c4211c99320605a0a0ecbb0a8fc22b3554e048847
Metamorfo
34dfef94da4c0b42270045798534781b109a84399229db5150ac553805067695
Metamorfo
522db4e152583bbf8b7ae3690216acb186fd67f35046d25b2dfb088e6f4aac9d
Metamorfo
52b32d417e469fddb09b2a14747de6b8dcef327c8f5f76bcec79bc678be87c54
Metamorfo
59a3f7c8511f22a6e48ec6a8f058fefaa3c881c0577bde3cf3ba34ef5688990b
Metamorfo
aee732049a8e5aacf18d9b558e8fdeb099d0a4ea83249af1919aee9d6015d08e
Metamorfo
af5a401ad1b885562640ee6206f950bfb9f7de9ca3df0e43df834a8cdc9d6f56
Metamorfo
e30b091e3162eed18f8c1b6a69bb7a28a4c722128456ee36a326a79a3367f514
Metamorfo
ea6793e52d123e1381764d06e53d0fa77ef9172c16488090660bcf5bce1df03b
Metamorfo
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence suricata vmprotect
Link:
https://tria.ge/reports/220209-r2fd2sagem/
Behaviour
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Loads dropped DLL
Blocklisted process makes network request
Downloads MZ/PE file
Executes dropped EXE
VMProtect packed file
suricata: ET MALWARE Windows Executable Downloaded With Image Content-Type Header
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
URLhaus
https://urlhaus.abuse.ch/host/13.58.89.178/
Cape
Cape
https://www.capesandbox.com/analysis/239601/

Comments