MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fc005f6bc0dec3ea5f11ce4f7fbcd6cd452427e1766cde0d0de2d3225a2adba1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Metamorfo

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	fc005f6bc0dec3ea5f11ce4f7fbcd6cd452427e1766cde0d0de2d3225a2adba1
SHA3-384 hash:	1646ed3a45e4e5583264247286d6635017ba5df288d6a36378a0b6d2789cad9f41257f13723b0148b5ce834d38370030
SHA1 hash:	61e8e1f7024e53849ce9825cce43f004ef5b4ad4
MD5 hash:	9cb6f451096875361f599464d9490259
humanhash:	zulu-blossom-jupiter-berlin
File name:	OP1252BR. ZïKJS.msi
Download:	download sample
Signature	Metamorfo Create hunting rule
File size:	6'954'496 bytes
First seen:	2021-07-12 13:15:02 UTC
Last seen:	2021-07-12 13:56:24 UTC
File type:	msi
MIME type:	application/x-msi
ssdeep	98304:XYxq68xMVA+nuijpG8lQ3f53eyibmw8a0FDIFLU4UUU3UUUtvFOZ:PunuijpGNvReydwFkQLU4UUU3UUUhFO
Threatray	65 similar samples on MalwareBazaar
TLSH	T1FF668C057E9890D0D67A81388916867AD6717C020F6D8ADFF19DBB5E2F336D28E39313
Reporter	Anonymous
Tags:	MetaMorfo msi

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/171106/

Result

Verdict:

MALICIOUS

Link:

https://labs.inquest.net/dfi/sha256/fc005f6bc0dec3ea5f11ce4f7fbcd6cd452427e1766cde0d0de2d3225a2adba1

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

48 / 100

Link:

https://www.joesandbox.com/analysis/814884

Signature

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/fc005f6bc0dec3ea5f11ce4f7fbcd6cd452427e1766cde0d0de2d3225a2adba1/

Threat name:

Script-JS.Downloader.SLoad

Status:

Malicious

First seen:

2021-06-23 19:34:12 UTC

AV detection:

10 of 29 (34.48%)

Threat level:

3/5

Verdict:

unknown

Metamorfo

279ce901888969ce890380cbc2f88ec59529b2b722627015523fb1a054762592

Metamorfo

3ba885ffd9fb3245a9513f1bd8c6c01cc053976b0799c0f856aa98c6e8d03a2c

Metamorfo

6a302cdb1efa324f9fa2688866f25809ece99319f1ba3025abd50b757a17ddad

Metamorfo

7a786d6cfe052c82e7ab1d5b7f4427c594f2497c4fb374ab852e01c2c1a2b548

Metamorfo

80b6f4260035bf83f8cafbc80b8da3263d8ed022c96509aeaa6e4a0016c6eb42

Metamorfo

a4f95464eccef0c4da2d48481ef8b1006a6ed0918fb421db63c793e1001bbeda

Metamorfo

b38256f6d2f6f4437714a7eb5f6c97750303f0a94efdfbcbd939e33bfdea48c5

Metamorfo

ba67c7d19ae5f1e164777227739631ca2187406a447edc218f4807e986ea3430

Metamorfo

cfa9c1d8b0ea8b947b89c01c9cbb87a70161a528337e5af00e855a70d350f22e

Metamorfo

+ 55 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210712-qg7ypxybve/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Enumerates connected drives

Loads dropped DLL

Blocklisted process makes network request

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.94

Link:

https://yomi.yoroi.company/submissions/fc005f6bc0dec3ea5f11ce4f7fbcd6cd452427e1766cde0d0de2d3225a2adba1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	metamorfo_msi Create hunting rule
Author:	jeFF0Falltrades
Description:	This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	suspicious_msi_file Create hunting rule
Author:	Johnk3r
Description:	Detects common strings, DLL and API in Banker_BR

Rule name:	win_unidentified_072_w0 Create hunting rule
Author:	jeFF0Falltrades
Description:	This is a simple, albeit effective rule to detect most Metamorfo initial MSI payloads

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/171106/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample