MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32
SHA3-384 hash: 23f47092d88399dd7b93ec0aa81325c6efd9b70a5861b49cd46984a5443743dfcae538ddf10a6cc4bd5124802c891b62
SHA1 hash: a0d82c995f7af28a89b6cb4072d52f0852383c90
MD5 hash: 480033b3aa5fd65654cd8ec94acbd299
humanhash: jupiter-tennis-maryland-hawaii
File name:A0D82C995F7AF28A89B6CB4072D52F0852383C90.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:11'485'184 bytes
First seen:2022-06-01 13:24:33 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:7RGFxy7LmUyoYMPeWB4ulPlGwKCb9Ds0DG7y:E+7KDM2nePw4bO
Threatray 25 similar samples on MalwareBazaar
TLSH T1F6C6923391226682C82E917A58C906CD491CDCD4E8D7F52E33ACF3E99EF751623D3586
TrID 68.9% (.MST) Windows SDK Setup Transform script (61000/1/5)
22.0% (.WPS) Kingsoft WPS Office document (alt.) (19502/3/2)
9.0% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
317
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276102/
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1005142
Signature
Creates a thread in another existing process (thread injection)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637654 Sample: HKyWFH5yGt.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 96 109 Multi AV Scanner detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Deletes shadow drive data (may be related to ransomware) 2->113 12 msiexec.exe 71 29 2->12         started        15 wbengine.exe 2->15         started        18 msiexec.exe 3 2->18         started        20 vdsldr.exe 2->20         started        process3 file4 107 C:\Windows\Installer\MSI4581.tmp, PE32+ 12->107 dropped 22 msiexec.exe 12->22         started        141 Creates files inside the volume driver (system volume information) 15->141 signatures5 process6 signatures7 123 Hijacks the control flow in another process 22->123 125 Injects code into the Windows Explorer (explorer.exe) 22->125 127 Writes to foreign memory regions 22->127 129 Creates a thread in another existing process (thread injection) 22->129 25 svchost.exe 2 22->25 injected 27 sihost.exe 3 22->27 injected 31 svchost.exe 22->31 injected 33 2 other processes 22->33 process8 file9 35 cmd.exe 25->35         started        37 regsvr32.exe 2 25->37         started        40 cmd.exe 1 25->40         started        101 C:\Users\user\Desktop\...\QNCYCDFIJJ.pdf, data 27->101 dropped 103 C:\Users\user\Desktop103EBFQQYWPS.xlsx, data 27->103 dropped 105 C:\Users\user\Desktop\...\IPKGELNTQY.docx, data 27->105 dropped 139 Modifies existing user documents (likely ransomware behavior) 27->139 42 cmd.exe 31->42         started        44 cmd.exe 31->44         started        46 regsvr32.exe 31->46         started        48 cmd.exe 33->48         started        50 cmd.exe 33->50         started        52 regsvr32.exe 33->52         started        signatures10 process11 signatures12 54 fodhelper.exe 12 35->54         started        56 conhost.exe 35->56         started        115 May disable shadow drive data (uses vssadmin) 37->115 117 Deletes shadow drive data (may be related to ransomware) 37->117 119 Uses bcdedit to modify the Windows boot settings 37->119 121 Deletes the backup plan of Windows 37->121 58 fodhelper.exe 12 40->58         started        60 conhost.exe 40->60         started        62 fodhelper.exe 12 42->62         started        64 conhost.exe 42->64         started        66 2 other processes 44->66 68 2 other processes 48->68 70 2 other processes 50->70 process13 process14 72 regsvr32.exe 1 54->72         started        75 regsvr32.exe 58->75         started        77 regsvr32.exe 62->77         started        79 regsvr32.exe 66->79         started        signatures15 131 May disable shadow drive data (uses vssadmin) 72->131 133 Deletes shadow drive data (may be related to ransomware) 72->133 135 Uses bcdedit to modify the Windows boot settings 72->135 137 Deletes the backup plan of Windows 72->137 81 vssadmin.exe 72->81         started        83 wbadmin.exe 72->83         started        85 wbadmin.exe 72->85         started        89 2 other processes 72->89 87 vssadmin.exe 77->87         started        process16 process17 91 conhost.exe 81->91         started        93 conhost.exe 83->93         started        95 conhost.exe 85->95         started        97 conhost.exe 87->97         started        99 conhost.exe 89->99         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-29 12:53:28 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
14 of 41 (34.15%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ew35hs7oeg2slt2vp75nbeyc2gnqgs3gfczi4av7u46kv2ulyza._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72
Magniber
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
Magniber
ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d
Magniber
fb38ca9105614973ddaabc6ce76068be002a4b69a9f801e2cc5b962f84ffab7b
Magniber
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220601-qny4kaghg3/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/e92dbe9e5f71/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276102/

Comments