MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Magniber


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
SHA3-384 hash: 6eaa51a8dabea3c3f8f7627e5f674703f9fa789f0ba0f8c4b7df7e357c18e8de8701c3ab7e8b2b7b536c1928010c248d
SHA1 hash: bc38d89d7cb2f0b44d82a2c8970f6a4e4acdc469
MD5 hash: 5e9bfb92927d4f2c9437217d6486370b
humanhash: florida-four-moon-october
File name:Win10.0_System_Upgrade_Software.msi
Download: download sample
Signature Magniber
Create hunting rule
File size:98'304 bytes
First seen:2022-05-12 06:03:31 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 1536:vRGLu1LbTTiHDq7H/RHrbMBHAu0D80Dh7fx:BiHDEHprCAHLx
Threatray 46 similar samples on MalwareBazaar
TLSH T1E2A3823852F90277EA4D0F310BE45BAB02AB5C8BF578A15063387385757AF4C79CA963
TrID 88.4% (.MST) Windows SDK Setup Transform script (61000/1/5)
11.5% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter obfusor
Tags:Magniber msi Ransomware signed

Code Signing Certificate

Organisation:Foresee Consulting Inc.
Issuer:DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
Algorithm:sha256WithRSAEncryption
Valid from:2021-11-24T00:00:00Z
Valid to:2022-11-23T23:59:59Z
Serial number: 0bc0f18da36702e302db170d91dc9202
Intelligence: 37 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 904c0e30b8cb190bc90530f5c34f10394bebb4098701c0f2f6f1b33d3aab86a9
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
294
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/269826/
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
magniber packed packed ransomware
Link:
https://www.filescan.io/uploads/627ca36040028d3247cbcc64/reports/70f3e3af-b74d-4603-99c4-268bc2dfaf98/overview
Result
Verdict:
UNKNOWN
Link:
https://labs.inquest.net/dfi/sha256/fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
rans.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/992387
Signature
Creates a thread in another existing process (thread injection)
Maps a DLL or memory area into another process
Modifies existing user documents (likely ransomware behavior)
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 624883 Sample: Win10.0_System_Upgrade_Soft... Startdate: 12/05/2022 Architecture: WINDOWS Score: 72 94 Multi AV Scanner detection for dropped file 2->94 96 Multi AV Scanner detection for submitted file 2->96 10 msiexec.exe 71 29 2->10         started        13 msiexec.exe 3 2->13         started        process3 file4 74 C:\Windows\Installer\MSIC1C7.tmp, PE32+ 10->74 dropped 15 msiexec.exe 4 10->15         started        process5 file6 76 C:\Users\user\Desktop\QVTVNIBKSD.docx, data 15->76 dropped 78 C:\Users\user\Desktop\MNULNCRIYC.xlsx, data 15->78 dropped 80 C:\Users\user\Desktop\...\PSAMNLJHZW.pdf, data 15->80 dropped 82 C:\Users\user\Documents\...\ONBQCLYSPU.jpg, DOS 15->82 dropped 86 Modifies the context of a thread in another process (thread injection) 15->86 88 Maps a DLL or memory area into another process 15->88 90 Creates a thread in another existing process (thread injection) 15->90 92 Modifies existing user documents (likely ransomware behavior) 15->92 19 svchost.exe 4 15->19 injected 22 sihost.exe 2 15->22 injected 24 svchost.exe 15->24 injected signatures7 process8 dnsIp9 84 96.7.53.168, 49709, 80 AKAMAI-ASUS United States 19->84 26 cmd.exe 19->26         started        28 cmd.exe 19->28         started        30 regsvr32.exe 19->30         started        32 cmd.exe 1 22->32         started        34 cmd.exe 22->34         started        36 regsvr32.exe 2 22->36         started        38 cmd.exe 24->38         started        40 cmd.exe 24->40         started        42 regsvr32.exe 24->42         started        process10 process11 56 2 other processes 26->56 58 2 other processes 28->58 44 fodhelper.exe 1 15 32->44         started        46 conhost.exe 32->46         started        48 fodhelper.exe 12 34->48         started        50 conhost.exe 34->50         started        52 fodhelper.exe 12 38->52         started        54 conhost.exe 38->54         started        60 2 other processes 40->60 process12 62 regsvr32.exe 44->62         started        64 regsvr32.exe 48->64         started        66 regsvr32.exe 52->66         started        68 regsvr32.exe 56->68         started        70 regsvr32.exe 58->70         started        72 regsvr32.exe 60->72         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f/
Threat name:
Win64.Ransomware.Magniber
Create hunting rule
Status:
Malicious
First seen:
2022-05-12 06:04:05 UTC
File Type:
Binary (Archive)
Extracted files:
26
AV detection:
16 of 41 (39.02%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7ifra2ruz7q5xxghpvum6v74e3pdj77o65hd534xty6pjjkatipq._file
Verdict:
malicious
Similar samples:
109465a5f8aa3c322d7d63922acb1cbd66579840c9053e2bc641f9c26b439bb3
Magniber
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
Magniber
50e1387078955b69ab956d0f81e935ab6ac9c0260131dd4fa2d3199b681750ee
Magniber
52ee17f3c365066c1292092999bbabc6b49e7c16a68af634206ce093afabc719
Magniber
5426fab46234b122102d347c2d21f74fe47ce5fabc906d6b353e8c5c93fa430c
Magniber
560feb69ec5771380c0440f52c60d9a229a56eda4d616d10b47e3ebaabb25f82
Magniber
c902ed13403c55e1c2dfb99ba7d8a878ac18e77712d68230e2b4cb4e15d85741
Magniber
f146844c73fce32362a12c1e478ffbb1d04d8168ca23bb1e3cb681ed5cb65903
Magniber
f423bd6daae6c8002acf5c203267e015f7beb4c52ed54a78789dd86ab35e46c6
Magniber
+ 36 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/220512-gskmasddgr/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Enumerates connected drives
Loads dropped DLL
Blocklisted process makes network request
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/fa0b106a34cf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/fa0b106a34cfe1dbdcc77d68cf57fc26de34ffeef74e3eef979e3cf4a5409a1f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/269826/

Comments