MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722
SHA3-384 hash: 892e0569338924ea52438e092908a4322e5852aae4b5bae3c9b925a3d3f9da3facb470af890c59d0a5c54da2a52c6438
SHA1 hash: e3bf45687bc5fb4b1b3c4e5a6c33d9136c1d0e65
MD5 hash: 7aac027145a3aca59e8f0857f385d3e2
humanhash: october-lemon-twenty-carbon
File name:Setup.msi
Download: download sample
File size:258'048 bytes
First seen:2021-07-12 10:06:53 UTC
Last seen:2021-07-12 10:58:42 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 3072:6spAtONmXwCGjtYNKbYO2gjpcm8rRuqpjCLu2loHUvU1yGxr5nqM2a8v:otONiRQYpgjpjew5JWyGxJqo8
Threatray 6 similar samples on MalwareBazaar
TLSH T120446B513BC9C13AD2AE063785BA9766263A7D710B30D0CF77947DAC9E306D3A939312
Reporter o2genum
Tags:msi phishing


Avatar
o2genum
Phishing, crypto stealing page:
https://kryptex.info

Original web service being impersonated: https://kryptex.org/

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171032/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Bsymem.gen.31728.28840.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/814711
Signature
May check the online IP address of the machine
Obfuscated command line found
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected MSILLoadEncryptedAssembly
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 447121 Sample: Setup.msi Startdate: 12/07/2021 Architecture: WINDOWS Score: 76 60 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->60 62 Sigma detected: Mshta Spawning Windows Shell 2->62 64 Yara detected MSILLoadEncryptedAssembly 2->64 66 2 other signatures 2->66 9 msiexec.exe 5 2->9         started        11 msiexec.exe 5 2->11         started        process3 process4 13 Setup.exe 2 9->13         started        15 expand.exe 8 9->15         started        18 icacls.exe 1 9->18         started        20 icacls.exe 1 9->20         started        file5 22 mshta.exe 23 13->22         started        48 C:\...\117bb394f204f6468116756ed09caaf5.tmp, PE32 15->48 dropped 26 conhost.exe 15->26         started        28 conhost.exe 18->28         started        30 conhost.exe 20->30         started        process6 dnsIp7 58 kudonet.kozow.com 45.118.145.253, 49711, 49728, 49729 LVSOFT-AS-VNLongVanSoftSolutionJSCVN Viet Nam 22->58 72 Obfuscated command line found 22->72 32 powershell.exe 15 17 22->32         started        signatures8 process9 dnsIp10 50 kudonet.kozow.com 32->50 35 aspnet_compiler.exe 14 9 32->35         started        40 conhost.exe 32->40         started        process11 dnsIp12 52 kudonet.kozow.com 35->52 54 icanhazip.com 104.18.6.156, 49730, 80 CLOUDFLARENETUS United States 35->54 56 192.168.2.1 unknown unknown 35->56 42 C:\Users\user\AppData\Local\...\Web Data2, SQLite 35->42 dropped 44 C:\Users\user\AppData\Local\...\Login Data2, SQLite 35->44 dropped 46 C:\Users\user\AppData\Local\...\Cookies2, SQLite 35->46 dropped 68 May check the online IP address of the machine 35->68 70 Tries to harvest and steal browser information (history, passwords, etc) 35->70 file13 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722/
Threat name:
ByteCode-MSIL.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2021-07-12 10:07:04 UTC
AV detection:
2 of 46 (4.35%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0998d46172fe00c092cfcaa5326aa5354cda095e2dce37ac16b437cc147b6298
83665f8cf0fc798b6dbeca777554aeaeb9d9cc53e27674c36e67294729d118f0
844f891f338bcde305546fb85d97ac01bfd2c4db663ce779e6048307af5085f5
91a5b2b67e62bbf855f7ee775275a7aaabb891d975316e864a50311ea1027bfa
df047189f75d998dc499072881c762fd001360f5cf184b801cb8c232b5c567f6
fc0eee220cef0c364edb4cb6ff45e12b2d3c035b2be1072c627e40c4a298ea72
Result
Malware family:
n/a
Score:
  10/10
Tags:
discovery
Link:
https://tria.ge/reports/210712-13t8xv95vx/
Behaviour
Checks SCSI registry key(s)
Modifies Internet Explorer settings
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Enumerates connected drives
Looks up external IP address via web service
Loads dropped DLL
Modifies file permissions
Blocklisted process makes network request
Executes dropped EXE
Malware Config
Dropper Extraction:
http://kudonet.kozow.com/new1/K1.txt
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.31
Link:
https://yomi.yoroi.company/submissions/dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi dcacb6e6cd979249275767b31c9d0250101d3627c525011e9f4d66581dbb7722

(this sample)

  
Link
https://kryptex.info
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/171032/

Comments