MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 5

Intelligence 5 IOCs YARA 1 File information Comments

SHA256 hash:	ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a
SHA3-384 hash:	b4466da7819bea2652d3dd79bc95e1433427b95d59e9be2d2c7358d86905db6bf71f6e84809586c8fc0480f6cf5e9cb4
SHA1 hash:	500207e36d930794769c9fde2231c15605342168
MD5 hash:	594d9d91395b17d062d06acd4118fb07
humanhash:	princess-coffee-red-edward
File name:	594d9d91395b17d062d06acd4118fb07.msi
Download:	download sample
File size:	8'050'176 bytes
First seen:	2022-01-21 10:48:52 UTC
Last seen:	2022-01-21 12:32:53 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:SwJDr05D9u53a3EyWd92wMlG8XPoFkCHTq9jarggN8Yi0pWtF13:xJDr05xu5q1Wd9F8PbNargZYi0pWtF13
Threatray	203 similar samples on MalwareBazaar
TLSH	T1F986F1222A99CA33E57E413494BAC73710A97E941BB150DF63EF59AE09744CE8371F23
Reporter	abuse_ch
Tags:	msi

Intelligence

File Origin

# of uploads :

# of downloads :

196

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/221407/

Detection(s):

PUA.Win.Packer.PrivateExeProte-11

Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

100%

Tags:

anti-vm control.exe evasive fingerprint print.exe remote.exe replace.exe shell32.dll

Link:

https://www.filescan.io/uploads/61ea8fa5d32385db631491b6/reports/f923824a-d5cc-4985-ade4-885ec5614ecd/overview

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/925183

Signature

Multi AV Scanner detection for submitted file

Opens network shares

PE file has a writeable .text section

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5jceenvp5e2rue7c23kgkjkty5bg4qsnvdywzlteajweie6hriva._file

Verdict:

unknown

21b86d066be79ef02c1e00c3be9bf22c4087d4122569543d2c8854ccb8a9b129

3529493db869e38f4cc8d85f0b5e3964abb6b9aa9e053b6884b47ff610551239

368a995009f0a3324ed392ed8411bd64c41d091fb22ef20170f9c9fd50ee8c8a

41ea97dc0c4e1ed234b29c6cee2de9d3a9201942044b9246e108c00f541d0150

70ee73260835cf8043fa9f1e2034b4477498ee760e3de2c77f89f25d1ab906e9

c5d5bd4d5b66de5559e4ebb98251b74b49baa08a50cfc8f69b2c9005fcc861a4

e1530e55a185d7733d470ba0e450464c7e9a95425025a51b79a3795b9f44ada9

f016bb4e883c001c82a4cf91745844f14b76fd015a2747c491badae79c2b0911

f3e180897f615a8d54fbe97faebd15e80be7358a3d4aa7ea8511a73285b3fe85

+ 193 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/220121-mwpnbachel/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.34

Link:

https://yomi.yoroi.company/submissions/ea444236afe9351a13e2d6d4652553c7426e424da8f16cae64026c4413c78a2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/221407/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample