MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72
SHA3-384 hash: 4c54d1ed82e37f440909a5698ffb9dff973e08ec1927a509fbae57b452fd532958ce94a778b17023a05b14376b12ca78
SHA1 hash: 64b5685f598504335b144e71daf9333881368251
MD5 hash: 2701b51f9add84949a704863405a278a
humanhash: missouri-quebec-uniform-colorado
File name:VLC_media_player_IIS.msi
Download: download sample
File size:23'572'992 bytes
First seen:2023-01-18 03:23:23 UTC
Last seen:Never
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 393216:Dhi1i04ph6pVrsGJB1Mv42sgoYlC9nclm5wX11Q6xLbDUtAcDHqCyox1+:Dhimc5sm1g4f7YlsnclVQ6xLbjayox1
Threatray 86 similar samples on MalwareBazaar
TLSH T16537233278C9C232EA6F4330166ADB7B51F96EE1377340DB63D8996E0E754C08275A93
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter 1ZRR4H
Tags:DEV-0569 msi

Intelligence

File Origin
# of uploads :
1
# of downloads :
143
Origin country :
CL CL
Vendor Threat Intelligence
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
anti-vm evasive explorer.exe fingerprint shell32.dll
Link:
https://www.filescan.io/uploads/63c76655afdaca54d438fb2d/reports/43edb7c0-cbfa-4951-99fa-a3a184b61b49/overview
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
45 / 100
Link:
https://www.joesandbox.com/analysis/1153621
Signature
Antivirus detection for URL or domain
Bypasses PowerShell execution policy
Multi AV Scanner detection for domain / URL
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 786353 Sample: VLC_media_player_IIS.msi Startdate: 18/01/2023 Architecture: WINDOWS Score: 45 49 Multi AV Scanner detection for domain / URL 2->49 51 Antivirus detection for URL or domain 2->51 8 msiexec.exe 3 14 2->8         started        11 msiexec.exe 12 2->11         started        process3 file4 27 C:\Windows\Installer\MSIE3DC.tmp, PE32 8->27 dropped 29 C:\Windows\Installer\MSIB260.tmp, PE32 8->29 dropped 31 C:\Windows\Installer\MSIA34B.tmp, PE32 8->31 dropped 33 C:\Windows\Installer\MSIA1C3.tmp, PE32 8->33 dropped 13 msiexec.exe 16 8->13         started        16 msiexec.exe 8->16         started        35 C:\Users\user\AppData\Local\...\MSI7654.tmp, PE32 11->35 dropped 37 C:\Users\user\AppData\Local\...\MSI7597.tmp, PE32 11->37 dropped 39 C:\Users\user\AppData\Local\...\MSI74CB.tmp, PE32 11->39 dropped 41 4 other files (none is malicious) 11->41 dropped process5 file6 43 C:\Users\user\AppData\Local\...\scrB2AC.ps1, Unicode 13->43 dropped 45 C:\Users\user\AppData\Local\...\pssB2AE.ps1, Unicode 13->45 dropped 19 powershell.exe 17 13->19         started        21 powershell.exe 3 13->21         started        47 Bypasses PowerShell execution policy 16->47 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=75dpy5nnt4tkvav3eyp6ww6eyg2ui5shqxdkttlzqcolu2qb5rza._file
Verdict:
unknown
Similar samples:
00b74733bcfeb9fbe6351f62fad0c9c2653ea90989461912d120f89472a262f1
27ec567e09d46bc9cf86e4ba699c893832403a698e414ced8b9af680c67cec2f
348a583651121ae324dc81391d1645e001b52e7433c0d2cbc9ef04f32d116b69
67d94aebea173f8c5bb4bed42f50897e4eb917ea3e180d0fa0aab811c932dc7a
980336b0ef128cf15b9a8e2e6c1a1d2218d7f12a62c34eb1aeafac47644fcdf0
a519aea7bbd70ca7c031db95b52bab0d6c416ae5038c12b3e66d85b84cf7652a
b2a09ad10595641bc731dd1ced0cb493d47663894ba57da9a941031d1a73ce8a
b6a0cc1e5488c0c9f1429d1744f8c2f81f7dce4229b8322fbdad043cd9084b1f
d82b69c1b464213cb75866f3b9a01f23df9bd968eb1c8e88fbf54f9749d01047
fa91996407e821400f962f248c576cacc2163f61fa12b1f21d4ad6fede3a010e
+ 76 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/230118-dx3f5agf76/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Enumerates connected drives
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff46fc75ad9f26aa82bb261feb5bc4c1b544764785c6a9cd79809cba6a01ec72

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:dsc
Create hunting rule
Author:Aaron DeVera
Description:Discord domains
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR
Rule name:SUSP_Websites
Create hunting rule
Author:SECUINFRA Falcon Team
Description:Detects the reference of suspicious sites that might be used to download further malware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments