MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 5


Intelligence 5 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43
SHA3-384 hash: 90feac44375b23d057a45c44ec3d25a1e4631fdfd2caf73f70e219c9cd13407c0c6d12137d1668a6cb6aa8628758d32d
SHA1 hash: b32b5d78d6df8a135e67558b531ddd2903afbfab
MD5 hash: 7341162766507ed42bbc3a37fe72f96d
humanhash: carpet-charlie-foxtrot-cold
File name:Wasabi-2.0.7.msi
Download: download sample
File size:2'499'584 bytes
First seen:2024-05-06 22:06:22 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:K78OSDg2QFoSNz5nRMihPUEMAHmV5B1/7uImVHMmrz5qmg+yvNP3:5xDg2izjtGD7rmVHMm
Threatray 16 similar samples on MalwareBazaar
TLSH T1F4C54B21B587C436C56F03B3A92DEE5E55397F223B3314E77AE43AAE09B48C11631E16
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter ninjacatcher
Tags:backdoor CryptoShuffler msi


Avatar
ninjacatcher
This is a fake from https://wasabiwallet.is/download.php – do not run this

http://filesclubspot.com/Wasabi-2.0.7.msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
141
Origin country :
GB GB
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm lolbin masquerade msiexec remote shell32
Link:
https://www.filescan.io/uploads/66395487df07636df8d16937/reports/8ad7b1ca-55e6-48c6-b72a-ea316a143704/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43
Result
Threat name:
n/a
Detection:
suspicious
Classification:
rans.troj
Score:
26 / 100
Link:
https://www.joesandbox.com/analysis/1437067
Signature
Creates autostart registry keys to launch java
Writes a notice file (html or txt) to demand a ransom
Yara detected Generic Downloader
Behaviour
Behavior Graph:
Download SVG
Score:
0%
Verdict:
Benign
File Type:
ARCHIVE
Link:
https://malprob.io/report/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xzcrd73xah4mqjc76vdiqwtwyglbo7jtxhz233mhukwl6lm3zbq._file
Verdict:
unknown
Similar samples:
169c5cb4f4eac0ab52f6fbf9919918056653ef3f4d59d2727d060b62d268f272
32a7bd36706affb81326833846ef47c41510c0baec68078a6eec71dd38a6d6a9
45a6e02b92fca3c1de67e7dba8433dc45455c2a6988dd2f2fc230cd67250da7e
58399bfc49dfa256e09fab1b2c561b1e48c04f1ddb43e55e95c80acf06583dab
6a94447715f2799d8b5fe10299fd93fe3d37c1bc89a6aaaa3781c689f0bc153b
6d953223090c61bd00ba9a174559e57ce39b794c6fe88880a97487a32b09855a
b09615c12af72a091f135d8020060765058c21653796ea495f921705c76fa5b2
b5a00c7c902fdfba6c6e693d516c39e1ba04fae89c34efc5cda059060121da1c
d66812f02f526272e30b186a633dac959507c59830a11232f4b36ed879a44741
fa9b8e9bcd992a27b3e86fd9dfc2635afffd54616e0cd5aacf4d17c9e86b258c
+ 6 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240506-11mamsdc4s/
Behaviour
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Loads dropped DLL
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:MD5_Constants
Create hunting rule
Author:phoul (@phoul)
Description:Look for MD5 constants
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Microsoft Software Installer (MSI) msi fdf2288ffbb80fc64122ffaa3442d3b60cb0bbe99dcf9d6f6c3d1565f96cde43

(this sample)

Java file jar 759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d

  
Delivery method
Distributed via web download
  
Dropping
SHA256 759d8edcb0fc7b6ed288d647cc6fdf9598d944b922654fae2e999d2f89407b3d
  
Dropping
MD5 f3696bbcc913c9df56fc660729fc4e80

Comments