MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Metamorfo


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99
SHA3-384 hash: a99426628cc0429d67ab919701d46f1a1adf88e50f7e234b1a957106a4a3a4a3df845bfafd779e5d1a21406f76bbccb6
SHA1 hash: 17f692483b542e0a7cdf04547760a63aa9f59708
MD5 hash: 0987e1b1412f555a22fc4a0b36baa98a
humanhash: lamp-diet-louisiana-fillet
File name:Nf_210923564 (1).msi
Download: download sample
Signature Metamorfo
Create hunting rule
File size:691'200 bytes
First seen:2023-09-22 07:24:08 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:TPMqsY5AhTqp4nbY5GbrKRYAGOE3+0rMmrxBFInRxr+3yCQyhaKxPbC:TPMqsY5Akp4b2GbcYlOmvJ6W1Bfx
Threatray 287 similar samples on MalwareBazaar
TLSH T1B2E4F107B3C5477AE8D342315A9F93628F72EC74873281272659660E2DF1664B7B33E2
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter abuse_ch
Tags:172-200-176-88 MetaMorfo msi ousaban spy

Intelligence

File Origin
# of uploads :
1
# of downloads :
136
Origin country :
NL NL
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/450564/
Detection(s):
SecuriteInfo.com.Trojan-Spy.Agent.22897.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/650d414f83a0c6425dfc2837/reports/0b0d89a4-97ea-4a50-8df9-3262756276d6/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedAlert
Create hunting rule
Detection:
malicious
Classification:
rans.expl.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/1312791
Signature
Hides threads from debuggers
Multi AV Scanner detection for submitted file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file has nameless sections
Query firmware table information (likely to detect VMs)
Sigma detected: Drops script at startup location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses cmd line tools excessively to alter registry or file data
Yara detected RedAlert Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1312791 Sample: Nf_210923564_(1).msi Startdate: 22/09/2023 Architecture: WINDOWS Score: 96 59 Multi AV Scanner detection for submitted file 2->59 61 Yara detected RedAlert Ransomware 2->61 63 Sigma detected: Drops script at startup location 2->63 65 PE file has nameless sections 2->65 8 msiexec.exe 9 30 2->8         started        11 SlimBoat.exe 2->11         started        14 cmd.exe 1 2->14         started        16 2 other processes 2->16 process3 file4 49 C:\Users\user\AppData\...\cubobretas.cmd, ASCII 8->49 dropped 51 C:\Windows\Installer\MSID910.tmp, PE32 8->51 dropped 53 C:\Windows\Installer\MSID892.tmp, PE32 8->53 dropped 18 msiexec.exe 3 21 8->18         started        69 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 11->69 71 Query firmware table information (likely to detect VMs) 11->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 11->73 75 Uses cmd line tools excessively to alter registry or file data 14->75 23 cmd.exe 1 14->23         started        25 cmd.exe 1 14->25         started        27 conhost.exe 14->27         started        77 Hides threads from debuggers 16->77 signatures5 process6 dnsIp7 55 raw.githubusercontent.com 185.199.108.133, 443, 49712 FASTLYUS Netherlands 18->55 41 C:\Users\Public\...\libwinpthread-1.dll, PE32+ 18->41 dropped 43 C:\Users\Public\...\libpython3.8.pdf, PE32 18->43 dropped 45 C:\Users\Public\...\libpython3.8.dll, PE32 18->45 dropped 47 C:\Users\Public\...\SlimBoat.exe (copy), PE32 18->47 dropped 67 Uses cmd line tools excessively to alter registry or file data 18->67 29 SlimBoat.exe 1 3 18->29         started        33 reg.exe 1 18->33         started        35 reg.exe 1 23->35         started        37 reg.exe 1 1 25->37         started        file8 signatures9 process10 dnsIp11 57 172.200.176.88, 49722, 80 IFX18747US United States 29->57 79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 29->79 81 Query firmware table information (likely to detect VMs) 29->81 83 Tries to evade analysis by execution special instruction (VM detection) 29->83 85 2 other signatures 29->85 39 conhost.exe 33->39         started        signatures12 process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99/
Threat name:
Script-JS.Downloader.Heuristic
Create hunting rule
Status:
Malicious
First seen:
2023-09-22 07:25:05 UTC
File Type:
Binary (Archive)
Extracted files:
121
AV detection:
8 of 38 (21.05%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=56xpgtxsqil62o2ncbtlylewgvf3ue6vhgozo6pmlcab7jzlpkmq._file
Verdict:
malicious
Similar samples:
2f022086614603e14c352bfc6c3d5da150c5bac59613f1b2d5b72ee8905ba167
Metamorfo
2f9a2ca3d7c8f4ce0393399a7688650c71636418ed1f8edd8a68d6c93b2f2d53
Metamorfo
32fb5900faa65295965b7b286de22a46eff4239166096c3a1008d60079e7c59f
Metamorfo
35c2607c6670f5303f3eca40de2e3441c2f48101861d2135d85029a8827cae25
Metamorfo
439fba17d37f5fb43487decfd1743712861fc0067d98ff4171d41ca5a267648a
Metamorfo
47e29bd164cb2f1eeee561aadf21b399a768dbb14a8d616ff2d1c4e77d1f7ce9
Metamorfo
83355a82abf8feb73cf733551b778e2465f165a73df95318a6c6f003a3e00d79
Metamorfo
dc4c16b06d4ec0156176b2ec6eeeaccfa6de98de3de33d9ea352a095bf79ce6d
Metamorfo
+ 277 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/230922-h8ydrsee3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Adds Run key to start application
Enumerates connected drives
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Disclosed_0day_POCs_payload_MSI
Create hunting rule
Author:Florian Roth (Nextron Systems)
Description:Detects POC code from disclosed 0day hacktool set
Reference:Disclosed 0day Repos
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:metamorfo_msi
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:win_unidentified_072_w0
Create hunting rule
Author:jeFF0Falltrades
Description:This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

Metamorfo

Microsoft Software Installer (MSI) msi efaef34ef28217ed3b4d1066bc2c96354bba13d5399d9779ec58801fa72b7a99

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/450564/

Comments