MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
SHA3-384 hash: 37bfc63fd5508750eaacd5d94da2b89309767d66802626570c7a5fd772d4a4d0ae9d5e967c98f1cd12bda5939e24a8ae
SHA1 hash: 56f8327c426952cb3f85de5927274974c9dc89b8
MD5 hash: e519d0a4bab2d08e14a5c175d431ce3e
humanhash: twenty-nineteen-orange-michigan
File name:e519d0a4bab2d08e14a5c175d431ce3e.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:6'379'008 bytes
First seen:2021-11-22 18:51:00 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:b+QXPWTFcvpvyZYHANxSdP33SfWww2wXaJ/Bci89ZaqN+rFzO4bj/y7dYWePRpwp:yQexdcdP33SfWwwdKDFZj/QLePRpr3
Threatray 173 similar samples on MalwareBazaar
TLSH T1AA56122072CAC537D6AD02B0156E8B6F59293D210F7284E7A3DCAE3E1AF19C19731E57
Reporter abuse_ch
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
powershell
Link:
https://www.filescan.io/uploads/619be69ddd04e7d00e029a94/reports/25dccb5c-e0f7-4d6b-8e2b-c2ea89578b02/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/894139
Signature
Bypasses PowerShell execution policy
Found Tor onion address
May use the Tor software to hide its network traffic
Powershell creates an autostart link
Powershell drops PE file
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Suspicious Script Execution From Temp Folder
Wscript starts Powershell (via cmd or directly)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 526617 Sample: Y8xaD5nbvo.msi Startdate: 22/11/2021 Architecture: WINDOWS Score: 72 86 Found Tor onion address 2->86 88 May use the Tor software to hide its network traffic 2->88 90 Sigma detected: Change PowerShell Policies to a Unsecure Level 2->90 92 Sigma detected: Suspicious Script Execution From Temp Folder 2->92 11 msiexec.exe 21 46 2->11         started        14 wscript.exe 2->14         started        17 msiexec.exe 2 2->17         started        process3 file4 62 C:\Windows\Installer\MSI81CA.tmp, PE32 11->62 dropped 64 C:\Windows\Installer\MSI692E.tmp, PE32 11->64 dropped 66 C:\Windows\Installer\MSI6861.tmp, PE32 11->66 dropped 68 14 other files (none is malicious) 11->68 dropped 19 msiexec.exe 8 11->19         started        102 Wscript starts Powershell (via cmd or directly) 14->102 23 powershell.exe 14->23         started        25 QTLZDX.exe 14->25         started        signatures5 process6 file7 56 C:\Users\user\AppData\Local\...\scr82BF.txt, Little-endian 19->56 dropped 58 C:\Users\user\AppData\Local\...\scr82BE.ps1, Little-endian 19->58 dropped 60 C:\Users\user\AppData\Local\...\pss8428.ps1, Little-endian 19->60 dropped 94 Bypasses PowerShell execution policy 19->94 27 powershell.exe 21 39 19->27         started        32 conhost.exe 23->32         started        34 powershell.exe 23->34         started        36 conhost.exe 25->36         started        signatures8 process9 dnsIp10 78 save.nbanamend.com 172.67.207.76, 443, 49776 CLOUDFLARENETUS United States 27->78 70 C:\MWOGQM\zlib1.dll, PE32 27->70 dropped 72 C:\MWOGQM\tor.exe, PE32 27->72 dropped 74 C:\MWOGQM\tor-gencert.exe, PE32 27->74 dropped 76 11 other malicious files 27->76 dropped 98 Powershell creates an autostart link 27->98 100 Powershell drops PE file 27->100 38 wscript.exe 1 27->38         started        41 conhost.exe 27->41         started        file11 signatures12 process13 signatures14 96 Wscript starts Powershell (via cmd or directly) 38->96 43 powershell.exe 38->43         started        45 QTLZDX.exe 16 38->45         started        process15 dnsIp16 48 powershell.exe 43->48         started        50 conhost.exe 43->50         started        80 37.157.195.87, 443, 49805 WEDOSCZ Czech Republic 45->80 82 82.118.242.103, 443, 49791 VERDINABZ Bulgaria 45->82 84 4 other IPs or domains 45->84 52 conhost.exe 45->52         started        process17 process18 54 conhost.exe 48->54         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1/
Threat name:
Document-OLE.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2021-11-22 18:51:32 UTC
File Type:
Binary (Archive)
Extracted files:
99
AV detection:
11 of 45 (24.44%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zm6qrxjqitrfmj54f47iav2usx2a7qiuilrvu4eph4plfc35qlqq._file
Verdict:
unknown
Similar samples:
1306e24bda80da1dacddc7c7d808502407cc8b29960d807aed0327050ba32be6
Metamorfo
23cfbb0bf1e110a79678f45c29897e6090b660d3df420bbb916fc3f1bc12eead
Metamorfo
268953af63bad4895dd06c024fd1ec2af2c134623a0e100e26894e4d6bab741e
Metamorfo
6269fd417f93e7c0d7cab576b35dc3b6f6a58c0f04e75533bad84987c228f0e6
Metamorfo
75fa551eec71d6d8b9817266813715c2bbb7a537005587f9f1e0d058a05febc6
Metamorfo
a181b562122fb3752137474073f22e1b2b1b4cc82a5269e73847a0e2e212cd56
Metamorfo
af3b8311c191d529461c48cdc5af00df25735fab439aa7570685b6c09635bc9c
Metamorfo
df00279749a73b854f3d6415a49e7cd0ea507b69b510d7505f2ca7c908d25a4a
Metamorfo
e7d2deba4fccbea79ffa209ebe0ce49f98aecfb340c8d6ec3ea1773cb12cb07e
Metamorfo
+ 163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/211122-xhhb7agfdn/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Drops startup file
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
Malware Config
Dropper Extraction:
https://autoatendimento.bb.com.br/apf-apj-acesso/#/transacao/acesso-empresa/0?v=2.28.10&t=1&tipoCliente=empresa
https://www2.bancobrasil.com.br/aapf/login.html#/acesso-aapf-agencia-conta
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Metamorfo

Microsoft Software Installer (MSI) msi cb3d08dd3044e25627bc2f3e80575495f40fc11442e35a708f3f1eb28b7d82e1

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1805902/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1805903/
  
URLhaus
https://urlhaus.abuse.ch/url/1805907/
  
URLhaus
https://urlhaus.abuse.ch/url/1805919/
  
URLhaus
https://urlhaus.abuse.ch/url/1806537/
  
URLhaus
https://urlhaus.abuse.ch/url/1806544/
Cape
Cape
https://www.capesandbox.com/analysis/208329/

Comments