MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Threat unknown

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008
SHA3-384 hash:	79333f70f59f5b84a343e9817c5b659b9610aa7acf113fc2f8965f4b0a2b3041e98c4ccbda7b3b0bae0dd3272a5bd137
SHA1 hash:	6795443f9e4abf0b8405af01643a665a4a729704
MD5 hash:	37efdd905aabef36aa9cb31859ee46d5
humanhash:	leopard-ohio-happy-minnesota
File name:	FACT63f87.msi
Download:	download sample
File size:	9'015'808 bytes
First seen:	2023-02-24 09:09:39 UTC
Last seen:	Never
File type:	msi
MIME type:	application/x-msi
ssdeep	196608:O6OFXeTxOmvailuFwhMAc3Hg0xQVgUQrLATjQYlQDMH:O6CXuxtlOWNWxygUEATjs
Threatray	98 similar samples on MalwareBazaar
TLSH	T139962322768A4525D1FEC3354E27BED525F2272983B240BBB6945ECF31F57C08762A83
TrID	80.0% (.MSI) Microsoft Windows Installer (454500/1/170) 10.7% (.MST) Windows SDK Setup Transform script (61000/1/5) 7.8% (.MSP) Windows Installer Patch (44509/10/5) 1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter	ventress
Tags:	msi

nuria_imeq

IOCs:
hxxps[://]aa033-zcxjnr54sa-uc[.]a[.]run[.]app
hxxp[://]34[.]68[.]70[.]63/
hxxp[://]34[.]68[.]70[.]63/62743bd3b3b3e/
hxxp[://]63[.]70[.]68[.]34[.]bc[.]googleusercontent[.]com/EMKT_CURSO_775-5693/?/62743bd3b3b3e/

Intelligence

File Origin

# of uploads :

# of downloads :

160

Origin country :

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/369378/

Detection(s):

SecuriteInfo.com.W32.Trojan.VYZK-4288.30727.UNOFFICIAL

Verdict:

Likely Malicious

Threat level:

7.5/10

Confidence:

80%

Tags:

mekotio packed packed

Link:

https://www.filescan.io/uploads/63f87eed589e1e4c5bd83e63/reports/0d406cfd-86e0-468d-b535-e13e2283a037/overview

Verdict:

Malicious

Labled as:

Trojan.Generic

Link:

https://www.hybrid-analysis.com/sample/f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/1181746

Signature

May check the online IP address of the machine

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008/

Threat name:

Win32.Trojan.Mekotio

Status:

Malicious

First seen:

2023-02-23 20:31:00 UTC

File Type:

Binary (Archive)

Extracted files:

AV detection:

9 of 39 (23.08%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=6nezhi5gmubtfxan3n3xr3abjivvc7zjxm4yo4f7v374a6qh2aea._file

Verdict:

malicious

635329a3e60baf7fc0d50d16b87c4ddc8f9300c710696dde863c3d90abb1b4a3

64b9695d845cdf62c01e755e83cffde32adde9674af26b9c99147f177b523e98

6719c4bd451f0c988e20c4e6d4773c015fd98f2882ac1342ef4d48f31bde6cfe

aee3ce577e43f036952eca4c8ad5ad9ef196d715af1d605b8addf06440f223fa

b324bf2765637c425eea72826c3a1524873fc8b2dc7c06cf9f5b3312bde8861a

c65cc9456350965b909eaa16b19f02f9ed6e1bba1288be7b8623f827dd9df89f

d27fc5641cadee2fe89f1a23264ae10879cde5702397a4bb3c6ace6e583bc4b7

db0e7ecf7d7934cc0a0620372cb5dfb554efab090662b51830097dac3d37ca87

+ 88 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/230224-k42azacg4t/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Looks up external IP address via web service

Loads dropped DLL

Blocklisted process makes network request

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/f34993a3a665/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f34993a3a6650332dc0ddb7778ec014a2b517f29bb398770bfaeffc07a07d008

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/369378/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample