MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
SHA3-384 hash: d2425c3b6eaf53f62a7d1356132bafb37137cab95d7f03e8c77483a2621e03d74552f600e65a9a1464ed0c4418b9ab8c
SHA1 hash: a0a6ba9bd45176b5fce6973af96e9da8353afba5
MD5 hash: 2ffd8eb6a092d24aa57e7b00619e4cea
humanhash: stream-fillet-johnny-johnny
File name:A0A6BA9BD45176B5FCE6973AF96E9DA8353AFBA5.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:10'952'704 bytes
First seen:2022-06-01 13:34:30 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:IRG3AeQ7goHSUzHg4viENvLZGDs0DS7m:FwX7gDUzrlLZF
Threatray 58 similar samples on MalwareBazaar
TLSH T12DB6A710A91969F6D52392FF845F0A9044249DD39504FB3BF33CB79CAA73E2866D270B
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
377
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276115/
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/1005093
Signature
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637589 Sample: M1g4ztWqq7.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 72 82 Multi AV Scanner detection for dropped file 2->82 84 Multi AV Scanner detection for submitted file 2->84 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 64 C:\Windows\Installer\MSI2464.tmp, PE32+ 10->64 dropped 15 msiexec.exe 4 10->15         started        process5 file6 66 C:\Users\user\Desktop\TTCBKWZYOC.xlsx, data 15->66 dropped 68 C:\Users\user\Desktop\QVTVNIBKSD.pdf, data 15->68 dropped 70 C:\Users\user\Desktop\MQAWXUYAIK.xlsx, data 15->70 dropped 74 Modifies the context of a thread in another process (thread injection) 15->74 76 Maps a DLL or memory area into another process 15->76 78 Creates a thread in another existing process (thread injection) 15->78 80 Modifies existing user documents (likely ransomware behavior) 15->80 19 svchost.exe 4 15->19 injected 22 sihost.exe 2 15->22 injected 24 svchost.exe 15->24 injected signatures7 process8 dnsIp9 72 23.203.67.116, 443, 49703 AKAMAI-ASUS United States 19->72 26 cmd.exe 19->26         started        28 cmd.exe 19->28         started        30 regsvr32.exe 19->30         started        32 cmd.exe 1 22->32         started        34 cmd.exe 22->34         started        36 regsvr32.exe 2 22->36         started        38 regsvr32.exe 24->38         started        process10 process11 40 fodhelper.exe 12 26->40         started        42 conhost.exe 26->42         started        44 fodhelper.exe 12 28->44         started        46 conhost.exe 28->46         started        48 fodhelper.exe 1 15 32->48         started        50 conhost.exe 32->50         started        52 fodhelper.exe 12 34->52         started        54 conhost.exe 34->54         started        process12 56 regsvr32.exe 40->56         started        58 regsvr32.exe 44->58         started        60 regsvr32.exe 48->60         started        62 regsvr32.exe 52->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-27 05:20:42 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4ady2uq42zvuyvjd3rz24tqbprepxm66ifbcpenj6hntxioz2b5q._file
Verdict:
malicious
Similar samples:
109465a5f8aa3c322d7d63922acb1cbd66579840c9053e2bc641f9c26b439bb3
Magniber
19867586298dba124d760385b87a113884fb785c3e704d288cbdec73e3000fca
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c60806d69301037449ee9c025f0a5da6325407d17de85300772ea65668c902e0
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Magniber
+ 48 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion persistence ransomware
Link:
https://tria.ge/reports/220601-qvnleahab4/
Behaviour
Checks SCSI registry key(s)
Enumerates system info in registry
Interacts with shadow copies
Modifies data under HKEY_USERS
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Deletes System State backups
Deletes backup catalog
Modifies extensions of user files
Deletes shadow copies
Modifies boot configuration data using bcdedit
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e0078d521cd6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276115/

Comments