MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7f417806d456511c3af825e8e0db343048e1e30977139ba9bf3eadee66d8259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7f417806d456511c3af825e8e0db343048e1e30977139ba9bf3eadee66d8259
SHA3-384 hash: ef8da5d09c5249e2c2262afe9da6918c8d69732ea578b7be84469b03ab641b555ee44dee2fb8a9680d1ead7144bee480
SHA1 hash: 8e01300eeb6be4dec03da8359f7c0d10fc416e1e
MD5 hash: 7b805d78e9a37bad485b8af6e359bf34
humanhash: table-seventeen-september-aspen
File name:Nota Fiscal.msi
Download: download sample
File size:1'431'552 bytes
First seen:2022-01-17 11:08:58 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:GuvVNC63vosTi0cNOAqJAkMpYkTztdfG8NQGatAkIvn9pBo5MTGq5YVJrTsgsFHN:JvyCvosTi0sOAZnWkvfNQGOAkIv/Boaj
Threatray 194 similar samples on MalwareBazaar
TLSH T1F0659D1076C6C436C4BE05703A6ED76B157EBE700BB188EB63D81A2E1EB15C25632F67
Reporter pr0xylife
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
250
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/219819/
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
control.exe expand.exe ftp.exe print.exe remote.exe shell32.dll
Link:
https://www.filescan.io/uploads/61e54e56d32385db63fab8c7/reports/2b8e64d0-8158-4e21-b3a0-a4427de51b7d/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e7f417806d456511c3af825e8e0db343048e1e30977139ba9bf3eadee66d8259
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/921758
Signature
Antivirus detection for dropped file
Drops executables to the windows directory (C:\Windows) and starts them
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554236 Sample: Nota Fiscal.msi Startdate: 17/01/2022 Architecture: WINDOWS Score: 52 37 Antivirus detection for dropped file 2->37 6 msiexec.exe 15 52 2->6         started        10 msiexec.exe 3 2->10         started        12 msiexec.exe 1 2->12         started        14 2 other processes 2->14 process3 file4 23 C:\Windows\Installer\MSI4EBA.tmp, PE32 6->23 dropped 25 C:\Windows\Installer\MSI3167.tmp, PE32 6->25 dropped 27 C:\Windows\Installer\MSI4C38.tmp, PE32 6->27 dropped 29 9 other files (none is malicious) 6->29 dropped 39 Drops executables to the windows directory (C:\Windows) and starts them 6->39 16 msiexec.exe 10 6->16         started        19 msiexec.exe 1 6->19         started        21 MSI3167.tmp 6->21         started        signatures5 process6 dnsIp7 31 sn-files.fe.1drv.com 16->31 33 onedrive.live.com 16->33 35 ofpvlq.sn.files.1drv.com 16->35
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e7f417806d456511c3af825e8e0db343048e1e30977139ba9bf3eadee66d8259/
Threat name:
Win32.Trojan.Alien
Create hunting rule
Status:
Malicious
First seen:
2022-01-17 11:09:15 UTC
File Type:
Binary (Archive)
Extracted files:
56
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
0389399febe43d7b710c5eec28906fc27faa9a62d6b21b23177ef9628222dada
13241421d86807055664ccd771acbcffd378d52fbeb1a35b3106e4c2c5cc443a
27037adba1bbede3fb44bcc190a33134b020a8ebb48f39a16790c0c358ca94e5
276fe35ed289cc299cca3a511c089d5d9994bb21c26818946b9ae2a0e7f6f584
52d79e7edccadccda98fdaaa761c5306adc502a639e7e217b2256ed6d8b7fa17
766813a2d32e70dd895aa89f769d1db2e6acbb4107b3712775902da1ca6eff53
8cb6d0ac34d090ebf86cc3b0fb51dc57b89b2429627dd15170b29ee29d02ad08
8ee5beec825590d2f25175e51b4a6bed6b3e678901c32d4e14c177df62bdf737
ca8eb4d83e1827e0fd86c260a60b1a9bb24876e15e1e0c55755d32314f308f4a
e9200c8a5ccb0bca2e40d3f618b056a552fbd7247396904a0d8ea70164fee886
+ 184 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
persistence upx
Link:
https://tria.ge/reports/220117-m849jaaacj/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Executes dropped EXE
UPX packed file
ACProtect 1.3x - 1.4x DLL software
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.76
Link:
https://yomi.yoroi.company/submissions/e7f417806d456511c3af825e8e0db343048e1e30977139ba9bf3eadee66d8259

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/219819/

Comments