MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 7


Intelligence 7 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73
SHA3-384 hash: a5891631be280056d0d07da5c882a9bacf3fa03fd31c9a52bb427071a3b63bd222562d9bbe06d407033b06be18b9025e
SHA1 hash: 83301a3fbb8e0312307f34955d3873cbd42e09cc
MD5 hash: 111a4b1ab79f6dcc0df5389870b547f6
humanhash: winter-fix-papa-lactose
File name:hANEXOPDF.PDF40 234057.msi
Download: download sample
File size:1'432'576 bytes
First seen:2024-07-04 17:38:16 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 24576:q8o4xLNJYzax0ECIgYmfLVYeBZr4AK12h2SekeUuyZD6lvs0zqa3:7oUJY0ZKumZr4AJTreUuyZD6lvVz9
TLSH T122659D21338AC53BD9AE02702529966F6579FDA30B3140D7A3C8293E9DF44D1A73AF53
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter Anonymous
Tags:msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
BR BR
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.PUA.Powershell.Downloader-3.UNOFFICIAL
Create hunting rule

Sanesecurity.Badmacro.Doc.newobj.UNOFFICIAL
Create hunting rule

TwinWave.EvliDoc.MastersOfTheUniverse.20210725.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
93.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6686dffb4a5832d180b6fb6bwin10vpnfull_triage
Tags:
Generic Stealth
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
n/a
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1467807
Signature
AI detected suspicious sample
Bypasses PowerShell execution policy
Creates autostart registry keys with suspicious values (likely registry only malware)
Hides threads from debuggers
Machine Learning detection for dropped file
PE file contains section with special chars
Powershell drops PE file
Query firmware table information (likely to detect VMs)
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: Windows Shell/Scripting Application File Write to Suspicious Folder
Sigma detected: WScript or CScript Dropper
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Uses dynamic DNS services
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected MalDoc
Yara detected Powershell download and execute
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467807 Sample: hANEXOPDF.PDF40 234057.msi Startdate: 04/07/2024 Architecture: WINDOWS Score: 100 63 teste.meuly.online 2->63 86 Yara detected Powershell download and execute 2->86 88 Yara detected MalDoc 2->88 90 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->90 92 8 other signatures 2->92 11 msiexec.exe 3 20 2->11         started        14 wscript.exe 1 2->14         started        17 svchost.exe 1 2 2->17         started        20 2 other processes 2->20 signatures3 process4 dnsIp5 51 C:\Windows\Installer\MSIBC4E.tmp, PE32 11->51 dropped 53 C:\Windows\Installer\MSIBBDE.tmp, PE32 11->53 dropped 55 C:\Windows\Installer\MSIBBBE.tmp, PE32 11->55 dropped 57 3 other malicious files 11->57 dropped 22 msiexec.exe 8 11->22         started        98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->98 26 home21.exe 14->26         started        61 127.0.0.1 unknown unknown 17->61 file6 signatures7 process8 file9 47 C:\Users\user\AppData\Local\...\scrBC59.ps1, Unicode 22->47 dropped 49 C:\Users\user\AppData\Local\...\pssBC6B.ps1, Unicode 22->49 dropped 96 Bypasses PowerShell execution policy 22->96 28 powershell.exe 15 20 22->28         started        signatures10 process11 dnsIp12 76 teste.meuly.online 23.111.168.85, 443, 49742 HVC-ASUS United States 28->76 59 C:\Users\Public\Documents\home21.exe, PE32 28->59 dropped 100 Powershell drops PE file 28->100 33 home21.exe 1 19 28->33         started        37 conhost.exe 28->37         started        file13 signatures14 process15 file16 45 C:\Users\Public\Documents\DiavcthD.vbs, ASCII 33->45 dropped 78 Query firmware table information (likely to detect VMs) 33->78 80 Tries to detect sandboxes and other dynamic analysis tools (window names) 33->80 82 Machine Learning detection for dropped file 33->82 84 4 other signatures 33->84 39 chrome.exe 1 33->39         started        signatures17 process18 dnsIp19 65 192.168.2.4, 443, 49723, 49724 unknown unknown 39->65 67 239.255.255.250 unknown Reserved 39->67 42 chrome.exe 39->42         started        process20 dnsIp21 69 winhomemodulo.ddns.net 42->69 72 winhomemodulo.ddns.net 64.226.97.61, 49748, 49749, 80 COGECO-PEER1CA Canada 42->72 74 12 other IPs or domains 42->74 signatures22 94 Uses dynamic DNS services 69->94
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6yinxvzar4aleqvz6veeccvb4quolwxzi6ozqbyjkgk7njvahjzq._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion execution trojan
Link:
https://tria.ge/reports/240704-v793dssfrh/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Command and Scripting Interpreter: PowerShell
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Checks whether UAC is enabled
Downloads MZ/PE file
Enumerates connected drives
Checks BIOS information in registry
Blocklisted process makes network request
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/9c609ced-2310-41d0-b10e-e8543dbde889
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f610dbd7208f00b242b9f548410aa1e428e5daf9479d9807095195f6a6a03a73

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link

Comments