MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb05d100ba4ff7eec5fd5fe4188d72335cc5578d9a5e53925b884d4bd05805b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb05d100ba4ff7eec5fd5fe4188d72335cc5578d9a5e53925b884d4bd05805b5
SHA3-384 hash: 19d50b62e60dbd4ca89857acc2130075b97235893f8bc104f9a8c1eec54bdbf3912638f7be2cd6052ae1c8c5d0b96a11
SHA1 hash: 9ce618042024d974115734834aabb477066b94f5
MD5 hash: 4608f95fcb33dfb420ae3acaa679dfc2
humanhash: stairway-grey-fish-victor
File name:4608f95fcb33dfb420ae3acaa679dfc2.msi
Download: download sample
File size:7'673'856 bytes
First seen:2021-12-08 15:35:12 UTC
Last seen:2021-12-08 17:45:32 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 98304:tlIroz/amR3UTYZ4YWDSOjPWJG+22FfikGV+MHkFrEhYPl7A:t55UkZ40V1i1Kl
Threatray 16 similar samples on MalwareBazaar
TLSH T195767C23B685D13AC07A0B3A883B9778593B7F212B218D9B67F41D4C8E755803A39F57
Reporter abuse_ch
Tags:banker BRA geo msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/212522/
Detection(s):
PUA.Win.Packer.Exe-6
Create hunting rule

Sanesecurity.Badmacro.Xls.credriv.UNOFFICIAL
Create hunting rule

Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61b0d0e6fa72c81b5b11e01c/reports/c4660f9a-4909-46b3-b014-7cda399526d5/overview
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/eb05d100ba4ff7eec5fd5fe4188d72335cc5578d9a5e53925b884d4bd05805b5
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
52 / 100
Link:
https://www.joesandbox.com/analysis/904203
Signature
Creates an autostart registry key pointing to binary in C:\Windows
May check the online IP address of the machine
Uses cmd line tools excessively to alter registry or file data
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 536678 Sample: 5DpzE2mQDJ.msi Startdate: 08/12/2021 Architecture: WINDOWS Score: 52 57 May check the online IP address of the machine 2->57 8 msiexec.exe 16 41 2->8         started        11 msiexec.exe 2 2->11         started        process3 file4 47 C:\Windows\Installer\MSIF8A7.tmp, PE32 8->47 dropped 49 C:\Windows\Installer\MSIF2C8.tmp, PE32 8->49 dropped 51 C:\Windows\Installer\MSIF1CD.tmp, PE32 8->51 dropped 53 3 other files (none is malicious) 8->53 dropped 13 aipackagechainer.exe 2 5 8->13         started        16 msiexec.exe 24 8->16         started        process5 file6 61 Creates an autostart registry key pointing to binary in C:\Windows 13->61 19 cmd.exe 1 13->19         started        22 cmd.exe 1 13->22         started        24 04047807780.exe 6 13->24         started        43 C:\Users\user\...\aipackagechainer.exe, PE32 16->43 dropped 45 C:\Users\user\AppData\...\04047807780.exe, PE32 16->45 dropped signatures7 process8 dnsIp9 59 Uses cmd line tools excessively to alter registry or file data 19->59 27 conhost.exe 19->27         started        29 cmd.exe 1 19->29         started        31 cmd.exe 1 19->31         started        39 4 other processes 19->39 33 conhost.exe 22->33         started        35 cmd.exe 1 22->35         started        37 cmd.exe 1 22->37         started        41 3 other processes 22->41 55 ip-api.com 208.95.112.1, 49777, 80 TUT-ASUS United States 24->55 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eb05d100ba4ff7eec5fd5fe4188d72335cc5578d9a5e53925b884d4bd05805b5/
Threat name:
Win32.Dropper.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-12-08 15:36:21 UTC
File Type:
Binary (Archive)
Extracted files:
404
AV detection:
3 of 45 (6.67%)
Threat level:
  3/5
Verdict:
unknown
Similar samples:
0141543611cf1babf0bf8a704d9f4fb28a5728458ae00f68957185ca52e4e549
1b0679b55c6ea0727ac51fdd25fb5ae629af959a902bc6a94e431662bf8d9cd0
1b989b05234ac05b5f641331013912f577c53e142f8cf6f7bcc291000b46f882
30b21dbe9760cc2a285513b5eb161e482d234012697e7ddcdb7ca7a57832d181
7eee512c06f88f3b58c2104ff9aadf087baf989f22ebf9e62ad95f4ee367f747
8f1435e498160d4d95114bf7417bc963d43ffa033336cd110a11fc781bed4446
93f8656d9d2e9477609761c5dc232d6cfca6918f6e5b53127ccf268fefd10ec6
9fc37df8a46d95ae0687bf890ee61bf50fb3e0bf2d4da77c139c93a813d91a6b
c6eb6729f081065d1afad5a23f343df68668f32eeae958a0642a9c4d4041a6ee
d4479ee4c78ba1ba8315d29e5296346421c407d4a9a64f791b99aeed98648ed0
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/211208-s1ftvshdbr/
Behaviour
Checks SCSI registry key(s)
Delays execution with timeout.exe
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Views/modifies file attributes
Enumerates physical storage devices
Drops file in Windows directory
Adds Run key to start application
Enumerates connected drives
Looks up external IP address via web service
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.58
Link:
https://yomi.yoroi.company/submissions/eb05d100ba4ff7eec5fd5fe4188d72335cc5578d9a5e53925b884d4bd05805b5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Adsterra_Adware_DOM
Create hunting rule
Author:IlluminatiFish
Description:Detects Adsterra adware script being loaded without the user's consent
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/212522/

Comments