MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d
SHA3-384 hash: 1b75eca7a177779585dcb04b3cbb05a54842559604bd18bf4fbd979e57d15d3f9ff8a9904f3c3ac9041e5d25f869352a
SHA1 hash: 1beb3e36c251e6a444429638a0196561c8b51866
MD5 hash: 7b7a9932146848710f13fcc57e370a2d
humanhash: november-delta-finch-hamper
File name:1BEB3E36C251E6A444429638A0196561C8B51866.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:12'378'112 bytes
First seen:2022-06-01 13:17:37 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:PRGc6MiHQ0KPrrr3xzZBhvCy4Ow7Wdhb+hDs0DHk7C:YTMiHY/r3nBHwCdhb1
Threatray 25 similar samples on MalwareBazaar
TLSH T13BC6D79F91522F98D61B553BD0049FA4C034AFB47201D97AA33F377197762A922B38CB
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware

Intelligence

File Origin
# of uploads :
1
# of downloads :
393
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/276089/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.39704870.4431.27694.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1005067
Signature
Creates a thread in another existing process (thread injection)
Creates files inside the volume driver (system volume information)
Deletes shadow drive data (may be related to ransomware)
Deletes the backup plan of Windows
Hijacks the control flow in another process
Injects code into the Windows Explorer (explorer.exe)
May disable shadow drive data (uses vssadmin)
Modifies existing user documents (likely ransomware behavior)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses bcdedit to modify the Windows boot settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 637607 Sample: IDHZ8k5tg4.msi Startdate: 01/06/2022 Architecture: WINDOWS Score: 96 109 Multi AV Scanner detection for dropped file 2->109 111 Multi AV Scanner detection for submitted file 2->111 113 Deletes shadow drive data (may be related to ransomware) 2->113 12 msiexec.exe 71 29 2->12         started        15 wbengine.exe 2->15         started        18 msiexec.exe 3 2->18         started        20 vds.exe 2->20         started        process3 file4 107 C:\Windows\Installer\MSI9AF5.tmp, PE32+ 12->107 dropped 22 msiexec.exe 12->22         started        141 Creates files inside the volume driver (system volume information) 15->141 signatures5 process6 signatures7 123 Hijacks the control flow in another process 22->123 125 Injects code into the Windows Explorer (explorer.exe) 22->125 127 Writes to foreign memory regions 22->127 129 Creates a thread in another existing process (thread injection) 22->129 25 svchost.exe 2 22->25 injected 27 sihost.exe 3 22->27 injected 31 svchost.exe 22->31 injected 33 2 other processes 22->33 process8 file9 35 cmd.exe 1 25->35         started        37 regsvr32.exe 2 25->37         started        40 cmd.exe 25->40         started        99 C:\Users\user\Desktop99EBFQQYWPS.pdf, data 27->99 dropped 101 C:\Users\user\Desktop\LSBIHQFDVT.xlsx, data 27->101 dropped 103 C:\Users\user\Desktop\...\IPKGELNTQY.docx, data 27->103 dropped 105 2 other files (none is malicious) 27->105 dropped 139 Modifies existing user documents (likely ransomware behavior) 27->139 42 cmd.exe 31->42         started        44 cmd.exe 31->44         started        52 2 other processes 31->52 46 cmd.exe 33->46         started        48 cmd.exe 33->48         started        50 regsvr32.exe 33->50         started        signatures10 process11 signatures12 54 fodhelper.exe 12 35->54         started        56 conhost.exe 35->56         started        115 May disable shadow drive data (uses vssadmin) 37->115 117 Deletes shadow drive data (may be related to ransomware) 37->117 119 Uses bcdedit to modify the Windows boot settings 37->119 121 Deletes the backup plan of Windows 37->121 58 fodhelper.exe 12 40->58         started        60 conhost.exe 40->60         started        62 fodhelper.exe 12 42->62         started        64 conhost.exe 42->64         started        66 2 other processes 44->66 68 2 other processes 46->68 70 2 other processes 48->70 process13 process14 72 regsvr32.exe 1 54->72         started        75 regsvr32.exe 58->75         started        77 regsvr32.exe 62->77         started        79 regsvr32.exe 66->79         started        signatures15 131 May disable shadow drive data (uses vssadmin) 72->131 133 Deletes shadow drive data (may be related to ransomware) 72->133 135 Uses bcdedit to modify the Windows boot settings 72->135 137 Deletes the backup plan of Windows 72->137 81 vssadmin.exe 72->81         started        83 wbadmin.exe 72->83         started        85 wbadmin.exe 72->85         started        87 2 other processes 72->87 process16 process17 89 conhost.exe 81->89         started        91 conhost.exe 83->91         started        93 conhost.exe 85->93         started        95 conhost.exe 87->95         started        97 conhost.exe 87->97         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-05-28 17:17:44 UTC
File Type:
Binary (Archive)
Extracted files:
27
AV detection:
13 of 41 (31.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5pcctokjuf5lep4rbysfvf4x5txvh6bd5pytace3l7jmcfpkdvwq._file
Verdict:
malicious
Label(s):
ryuk
Create hunting rule
Similar samples:
2d66d454da7c8ebd868f48da12db6c073c058e9f86c4f0e5529c0358faec9c72
Magniber
33211a8202f4ad33f01cd90c6b1f51068a84ace5dd85a891efe5e6c210b0e7ef
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
724b3381d26ed8a633bbe8a2483fbe5a4dd1b66b04a2d84bbbb6179f4dac8146
Magniber
9180fe1ea22b07841146ba483d454faf092c8cd9fed14222a08b7392cda2e7be
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
e0078d521cd66b4c5523dc73ae4e017c48fbb3de41422791a9f1db3ba1d9d07b
Magniber
e92dbe9e5f710da92e7aabffd68498168cd81a5b3145947015fd39e557545e32
Magniber
fb38ca9105614973ddaabc6ce76068be002a4b69a9f801e2cc5b962f84ffab7b
Magniber
+ 15 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/220601-qjyl8scdgl/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ebc429b949a17ab23f910e245a9797ecef53f823ebf130089b5fd2c115ea1d6d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/276089/

Comments