MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
SHA3-384 hash: 79e4e6d02f003392477d5a38bc87f1533f8e3a37b26c3a3ab26c9bfacce9d3940eed8e85bc748c9fe6378a86f16499e4
SHA1 hash: 8c0d086705215f36b084fbaa71244fc6daac7458
MD5 hash: dba1f95413351b47bfa7c50c3a529844
humanhash: kentucky-victor-lamp-nevada
File name:yspx-v3.2.25-setup.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:20'907'768 bytes
First seen:2023-04-05 20:02:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e569e6f445d32ba23766ad67d1e3787f (259 x Adware.Generic, 41 x RecordBreaker, 24 x RedLineStealer)
ssdeep 393216:Xn9cyPs8Wk3wPFLfb/w9433cyciW74mzRcwCC2OfDnA5fhyZxaH/5kd:X9cyk8nwNLzI94cyciszALWDAOLie
Threatray 27 similar samples on MalwareBazaar
TLSH T1A527333BF168643EC5AE1B7516B356109E3B7A61681A8C2E13FC340ECF765601E3F662
TrID 49.7% (.EXE) Inno Setup installer (109740/4/30)
19.5% (.EXE) InstallShield setup (43053/19/16)
18.8% (.EXE) Win32 EXE PECompact compressed (generic) (41569/9/9)
4.7% (.EXE) Win64 Executable (generic) (10523/12/4)
2.0% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):PE icon
dhash icon 5050d270cccc82ae (109 x Adware.Generic, 43 x LummaStealer, 42 x OffLoader)
Reporter jw4lsec
Tags:agentb BazaLoader exe signed

Code Signing Certificate

Organisation:APTX Software
Issuer:APTX Software
Algorithm:sha256WithRSAEncryption
Valid from:2023-01-26T20:02:27Z
Valid to:2033-01-23T20:02:27Z
Serial number: 1da353fd3afee033327acc863e212c997c592e8f
Thumbprint Algorithm:SHA256
Thumbprint: 9dc8cda1df0c70c0c3ac120d4d5270751190e189edc97a580d016ed05a08db70
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
jw4lsec
Dropped by ducktail PHP variant

Intelligence

File Origin
# of uploads :
1
# of downloads :
718
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
yspx-v3.2.25-setup.exe
Verdict:
Malicious activity
Analysis date:
2023-04-05 20:08:47 UTC
Tags:
installer
Link:
https://app.any.run/tasks/fe82989d-5774-48a6-9cbe-50b6f7a4732f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Python.Psw.11000.12218.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Creating a window
Creating a process from a recently created file
Сreating synchronization primitives
Searching for synchronization primitives
Creating a file in the %AppData% subdirectories
Moving a file to the %AppData% subdirectory
Creating a process with a hidden window
Running batch commands
Creating a file
Using the Windows Management Instrumentation requests
Launching a tool to kill processes
Enabling autorun by creating a file
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/76712/overview
Behaviour
MalwareBazaar
CheckNumberOfProcessor
CheckCmdLine
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
installer overlay packed python setupapi.dll shell32.dll virus
Link:
https://www.filescan.io/uploads/642dd3f805c72da113b3990c/reports/982a6dd9-2683-4884-a9b2-2c6ddded178b/overview
Verdict:
Suspicious
Link:
https://www.hybrid-analysis.com/sample/345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8
Result
Verdict:
MALICIOUS
Result
Threat name:
BazaLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/1209234
Signature
DLL side loading technique detected
Multi AV Scanner detection for submitted file
Obfuscated command line found
PE file has a writeable .text section
Potentially malicious time measurement code found
Tries to harvest and steal browser information (history, passwords, etc)
Yara detected BazaLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 842150 Sample: yspx-v3.2.25-setup.exe Startdate: 05/04/2023 Architecture: WINDOWS Score: 76 124 Multi AV Scanner detection for submitted file 2->124 126 Yara detected BazaLoader 2->126 128 PE file has a writeable .text section 2->128 12 yspx-v3.2.25-setup.exe 2 2->12         started        16 rhc.exe 2->16         started        18 rhc.exe 2->18         started        20 2 other processes 2->20 process3 file4 114 C:\Users\user\...\yspx-v3.2.25-setup.tmp, PE32 12->114 dropped 136 Obfuscated command line found 12->136 22 yspx-v3.2.25-setup.tmp 3 13 12->22         started        25 WDCloud.exe 111 16->25         started        27 WDCloud.exe 18->27         started        29 WDCloud.exe 111 20->29         started        signatures5 process6 file7 88 C:\Users\user\AppData\Local\...\_setup64.tmp, PE32+ 22->88 dropped 31 yspx-v3.2.25-setup.exe 2 22->31         started        90 C:\...\_zope_interface_coptimizations.pyd, PE32+ 25->90 dropped 92 C:\Users\user\AppData\Local\...\winxpgui.pyd, PE32+ 25->92 dropped 100 81 other files (76 malicious) 25->100 dropped 35 WDCloud.exe 5 25->35         started        94 C:\...\_zope_interface_coptimizations.pyd, PE32+ 27->94 dropped 96 C:\Users\user\AppData\Local\...\winxpgui.pyd, PE32+ 27->96 dropped 98 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 27->98 dropped 102 80 other files (75 malicious) 27->102 dropped 104 83 other files (52 malicious) 29->104 dropped 37 WDCloud.exe 6 29->37         started        process8 file9 116 C:\Users\user\...\yspx-v3.2.25-setup.tmp, PE32 31->116 dropped 120 Obfuscated command line found 31->120 39 yspx-v3.2.25-setup.tmp 5 113 31->39         started        122 Tries to harvest and steal browser information (history, passwords, etc) 35->122 42 cmd.exe 35->42         started        44 cmd.exe 35->44         started        118 C:\Users\user\AppData\Local\...\CookiesBak, SQLite 37->118 dropped 46 cmd.exe 1 37->46         started        48 cmd.exe 1 37->48         started        signatures10 process11 file12 106 C:\Users\user\AppData\...\unins000.exe (copy), PE32 39->106 dropped 108 C:\Users\user\AppData\...\is-VK2KO.tmp, PE32 39->108 dropped 110 C:\Users\user\AppData\...\is-T7L6K.tmp, PE32+ 39->110 dropped 112 4 other files (1 malicious) 39->112 dropped 50 WDCloud.exe 111 39->50         started        53 conhost.exe 42->53         started        56 taskkill.exe 42->56         started        58 conhost.exe 44->58         started        60 conhost.exe 46->60         started        62 taskkill.exe 1 46->62         started        64 conhost.exe 48->64         started        process13 file14 80 C:\...\_zope_interface_coptimizations.pyd, PE32+ 50->80 dropped 82 C:\Users\user\AppData\Local\...\winxpgui.pyd, PE32+ 50->82 dropped 84 C:\Users\user\AppData\Local\...\win32ui.pyd, PE32+ 50->84 dropped 86 80 other files (75 malicious) 50->86 dropped 66 WDCloud.exe 5 50->66         started        132 DLL side loading technique detected 60->132 signatures15 process16 signatures17 130 Potentially malicious time measurement code found 66->130 69 cmd.exe 1 66->69         started        71 cmd.exe 1 66->71         started        process18 process19 73 conhost.exe 69->73         started        76 taskkill.exe 1 69->76         started        78 conhost.exe 71->78         started        signatures20 134 DLL side loading technique detected 73->134
Gathering data
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=grnfrnvjioz2si2uomrs4oyh3aszusuffnvydrzuck7prjaeul4a._file
Verdict:
malicious
Similar samples:
089b3975338c69d1c8ae96cec13328459e8208c7cf9c88ce98896b90697c140b
BazaLoader
141aa049fbc18090fb113660b02ef408aa40821187a67e8e6460afa5ad1058a3
BazaLoader
476a05d5c8ef4444f96cbd02c3a315c56227b7510f75e82249a449bb79e977fc
BazaLoader
4b56d8713523dea09695ec6beef98608c234e5f8a9be77be931a687c080fb0f1
BazaLoader
5585750ed182014fa4e52414ff733348ddd324f22f8ca2b476460273cba3d133
BazaLoader
850b44b363d5f13db8495297954350ff1dd398a0bbfdd57972fd77bc12d43b26
BazaLoader
906d1ee4c61e1fa0b1417bbf60d5087ceb1e817a75d314b8471099d0a89e8575
BazaLoader
99a978b68b2693ae5d8d472448a8275ae92449d0bfe517f6076ed29c2e696c0b
BazaLoader
afe1274014f8b9221aba0dbab08fd3cc7bb8a436745e65697fb8c88ac37fbb82
BazaLoader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware stealer
Link:
https://tria.ge/reports/230405-yspdxsbc5y/
Behaviour
Kills process with taskkill
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Program crash
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/345a58b6a943b3a9235473232e3b07d8259a4a852b6b81c73412bef8a404a2f8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:PE_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:PE_Potentially_Signed_Digital_Certificate
Create hunting rule
Author:albertzsigovits
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
ducktail
  
Delivery method
Other

Comments