MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dad37940e538341866ebd7391e0a5a9ca91909ba35b984c36387f88b248d2d3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dad37940e538341866ebd7391e0a5a9ca91909ba35b984c36387f88b248d2d3c
SHA3-384 hash: 8c1d10505c0a726a0f6bd518780094ed6df74e564a1fc17364ee479da2d18460ed3d1ac99208895f0866ee0728639909
SHA1 hash: 0add7e5289ad44d2a934cdc88e00305a0dcc9a53
MD5 hash: a65a345f461c165a5a61ff68156bec5f
humanhash: september-pluto-six-dakota
File name:D.1650379792.msi
Download: download sample
File size:4'520'960 bytes
First seen:2022-04-19 23:31:28 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:oRM+r1ldBEz8tHSESv1HKRASJv+fR9FxI02SME30P7ArOR6TKWRrVYFytgOYL8A:P+r1nmMYDR912VE327ANRxqytgOYIA
Threatray 501 similar samples on MalwareBazaar
TLSH T144268CA7B2C9793EC0AA06369537AB18993FBB612612CC1707F50D4CCF35440B67AE5B
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter dodosec
Tags:banking brazil msi


Avatar
dodo_sec
Distributed via e-mail (ATENCAO! Seu boleto foi atualizado com novo valor - id (646661)) link:

comsotrackboaindustriax[.]com/anexos/ > oslodesign[.]duckdns[.]org/70453477219/

MSI runs nakdg.dll with export manoaxotadaminhaminaeacoisamaisgostrjadhuad. This PE is geofenced by language (spanish and portuguese) - if the lang test is successful it'll reach out to 167.114[.]192.4:4456/dnpx1904.zip and download a file that needs to be decrypted into a zip.

That file uses DLL side loading into a legitimate application (autoIT) to inject a malicious library with binary padding in a way that reminds me of Ousaban

Intelligence

File Origin
# of uploads :
1
# of downloads :
268
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/264739/
Detection(s):
SecuriteInfo.com.RDMK.cmRtazpKxKzi0pVLtXUmAmezzdjf.17904.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.Exe-6
Create hunting rule

Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
control.exe expand.exe grandoreiro remote.exe replace.exe
Link:
https://www.filescan.io/uploads/625f467cffe27d511910c261/reports/254a89d0-44df-4c57-af0b-0fd006c75ffc/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dad37940e538341866ebd7391e0a5a9ca91909ba35b984c36387f88b248d2d3c
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/979201
Signature
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dad37940e538341866ebd7391e0a5a9ca91909ba35b984c36387f88b248d2d3c/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-04-19 23:32:12 UTC
File Type:
Binary (Archive)
Extracted files:
115
AV detection:
18 of 26 (69.23%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a31b1a45f4549fca08fa4a8ae0f4ee1120dae090cb624d203058093f8b6d0d2
1cce084dfad9033bf86425313b45b5eb3920123fc2f8c332f0c2f4506cd948b1
1dc5c4d45bddb494f88e347f3edcd53d23ccbdbe7209de6d5f2a34b34f3f4e20
36bd5616fec9430c14a3b7c80af13d7ed24cf506e4e0a20cd6fd3e7d99221f16
4174273461be09741fa884000332f703451d3e487d37c78128018b224276d35f
6d14bb5ee2d7b2ecb28530324e7452a48476c79f7ded0a5727035d74744e5772
9a70a9ac1c49054d3ae1d86d24d111f42e94dabbb102a36a33fe54553c4a5d40
accb6b7f0cf949b35ce48fc284ab1b2c400cc1586f7643847583eba28084a86b
b715ecf06a29721822c20c14ad6c6d4997996ad315a0556e5880ebb8568d2eff
f209e42a76bd1c0641c50c8e22948ac19fa32b39fb63117715872bc43a50b448
+ 491 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220419-3h9dkaffh5/
Behaviour
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Drops file in System32 directory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.25
Link:
https://yomi.yoroi.company/submissions/dad37940e538341866ebd7391e0a5a9ca91909ba35b984c36387f88b248d2d3c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Link
https://tria.ge/220419-smk7eshcc8/behavioral1
  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/264739/

Comments