MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb5ea730abf432d169a1560ef19f6100b96aecd4a18d41fd20f9a06e2d15077e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 8


Intelligence 8 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eb5ea730abf432d169a1560ef19f6100b96aecd4a18d41fd20f9a06e2d15077e
SHA3-384 hash: b58554c17f621aac932c9bb838e181db9c3300d7baf4c5e717ef6d55eead38146c4a2b7b1594b81d4b03e0f48ba3a9da
SHA1 hash: 3f5f04c3c3421a3641111f37c9297d67157d9ba1
MD5 hash: efa9c4a4bf3ba471c03e780ed55854b3
humanhash: north-november-lithium-green
File name:_PDF__838754.msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:58'872'320 bytes
First seen:2024-09-04 10:02:22 UTC
Last seen:2024-09-04 10:33:24 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1572864:IfK9EXduSTKiH2B2sqdJkaXW67HOt5Vdr:IfUqIsHWB2sqXAzP
Threatray 9 similar samples on MalwareBazaar
TLSH T1A3D73322718AC632E9BE0176A965FB2E11BA7FE3077004DBA7D4785E4D74CC252B8F11
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter FXOLabs
Tags:MetaMorfo msi

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
BR BR
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66d8305ff3d7ccf99f8fe4d5
Tags:
Generic Network Stealth
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-vm crypto evasive fingerprint keylogger lolbin msiexec packed remote shell32 wix
Link:
https://www.filescan.io/uploads/66d8305ae9db3734a228258a/reports/85faa831-363c-44b7-bd12-57637b5daf03/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/eb5ea730abf432d169a1560ef19f6100b96aecd4a18d41fd20f9a06e2d15077e
Result
Threat name:
Metamorfo
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1504010
Signature
AI detected suspicious sample
Connects to a pastebin service (likely for C&C)
Connects to many ports of the same IP (likely port scanning)
Contain functionality to detect virtual machines
Creates multiple autostart registry keys
Machine Learning detection for dropped file
May use the Tor software to hide its network traffic
Multi AV Scanner detection for submitted file
Overwrites code with function prologues
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Suricata IDS alerts for network traffic
Switches to a custom stack to bypass stack traces
Yara detected Metamorfo
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1504010 Sample: _PDF__838754.msi Startdate: 04/09/2024 Architecture: WINDOWS Score: 100 32 pastebin.com 2->32 34 mail.al-shahen.com 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 Yara detected Metamorfo 2->48 52 6 other signatures 2->52 7 msiexec.exe 17 50 2->7         started        10 Vamg.exe 1 1 2->10         started        14 winlog.exe 3 2->14         started        16 2 other processes 2->16 signatures3 50 Connects to a pastebin service (likely for C&C) 32->50 process4 dnsIp5 24 C:\Windows\Installer\MSIFF77.tmp, PE32 7->24 dropped 26 C:\Windows\Installer\MSI94.tmp, PE32 7->26 dropped 28 C:\Windows\Installer\MSI64.tmp, PE32 7->28 dropped 30 6 other malicious files 7->30 dropped 18 winlog.exe 1 7 7->18         started        22 msiexec.exe 7->22         started        42 mail.al-shahen.com 194.99.21.159, 49737, 80 MVPShttpswwwmvpsnetEU Germany 10->42 64 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 10->64 66 Creates multiple autostart registry keys 10->66 68 Overwrites code with function prologues 14->68 file6 signatures7 process8 dnsIp9 36 102.37.159.106, 17060, 17101, 17104 MICROSOFT-CORP-MSN-AS-BLOCKUS South Africa 18->36 38 pastebin.com 104.20.3.235, 443, 49738, 49739 CLOUDFLARENETUS United States 18->38 40 3.145.213.63, 49736, 80 AMAZON-02US United States 18->40 54 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 18->54 56 Creates multiple autostart registry keys 18->56 58 Overwrites code with function prologues 18->58 60 May use the Tor software to hide its network traffic 18->60 62 Query firmware table information (likely to detect VMs) 22->62 signatures10
Score:
98%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/eb5ea730abf432d169a1560ef19f6100b96aecd4a18d41fd20f9a06e2d15077e
Gathering data
Threat name:
Win32.Trojan.BankerX
Create hunting rule
Status:
Malicious
First seen:
2024-09-04 10:03:28 UTC
File Type:
Binary (Archive)
Extracted files:
384
AV detection:
6 of 38 (15.79%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5npkomfl6qznc2nbkyhpdh3bac4wv3guuggud7ja7gqg4liva57a._file
Verdict:
unknown
Similar samples:
13c236d54f22e9050fff6c5063747cbe49877e3732490586d8a3f9f818b35cf8
Metamorfo
a923525277435e0703b5428f376081ef975c2200fc9bc8e776b1eb2e348b47b8
Metamorfo
ba4612db8ce37b8e64d163a4c8e236b0ad2ddc223b91383f270924846394bf95
Metamorfo
d015801a54961cd8d98e5abfadd4d325f57948d4033f26487185d08f5d914073
Metamorfo
d8fc4f696f4bd1899ed92d8e9767646308c941cac2ea826dbdd3e64f6926db3d
Metamorfo
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/240904-l3c3esxgpr/
Behaviour
Enumerates system info in registry
NTFS ADS
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/13a80420-04bd-41df-8d2f-f25815ad2c10
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments