MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc
SHA3-384 hash: c4f5c0372f06355e95037486cde88138ccf2eb29a4aa30dc06e46deca8db761746508599d79c10309c84a709ccddf07d
SHA1 hash: 55e1ddbbdb2b858fac8c095b7f89ed2b5c405f47
MD5 hash: 2a170a34027b27507f3de6c884ba3b49
humanhash: winter-lake-orange-minnesota
File name:Form_Ver-11-58-52.js
Download: download sample
Signature BazaLoader
Create hunting rule
File size:585'687 bytes
First seen:2024-06-23 17:39:19 UTC
Last seen:Never
File type:Java Script (JS) js
MIME type:text/plain
ssdeep 12288:IjHp2leGMt4BL3ML5KEWyYpimECdMS+8lvAgOe:OMleZt4BwL5KEWyYp8CdMSHlvAgZ
TLSH T115C45B60FE4501661D83279F9C6225D2FD3C925193022228E99E83AD2F875DCD37DBAF
Reporter 1ZRR4H
Tags:BazaLoader BruteRatel js Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
778
Origin country :
CL CL
Vendor Threat Intelligence
Detection(s):
Js.Downloader.Latrodectus-10031446-0
Create hunting rule

Verdict:
Suspicious
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66785df48bee61523c5d105awin7simulatehigh_evasion
Tags:
Stealth
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
cerberus lolbin remote shell32
Link:
https://www.filescan.io/uploads/66785df30bf5978c0b11ae0c/reports/a4388e07-6b33-40b9-86c9-8334241e60d7/overview
Verdict:
Suspicious
Labled as:
Js.Downloader.Latrodectus
Link:
https://www.hybrid-analysis.com/sample/3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc
Result
Verdict:
MALICIOUS
Details
Base64 Encoded URL
Detected an ANSI or UNICODE http:// or https:// base64 encoded URL prefix.
Result
Threat name:
Bazar Loader, BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
evad.spre.bank.troj.spyw
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1460817
Signature
Allocates memory in foreign processes
Antivirus detection for URL or domain
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Contains functionality to inject threads in other processes
Contains functionality to steal Internet Explorer form passwords
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Performs a network lookup / discovery via net view
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Sigma detected: WScript or CScript Dropper
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Uses ipconfig to lookup or modify the Windows network settings
Uses net.exe to modify the status of services
Writes to foreign memory regions
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Generic JS Downloader
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460817 Sample: Form_Ver-13-59-03 (1).js Startdate: 21/06/2024 Architecture: WINDOWS Score: 100 70 ultroawest.com 2->70 72 kurvabbr.pw 2->72 74 3 other IPs or domains 2->74 108 Found malware configuration 2->108 110 Antivirus detection for URL or domain 2->110 112 Yara detected Generic JS Downloader 2->112 114 8 other signatures 2->114 13 msiexec.exe 14 29 2->13         started        18 wscript.exe 2 2->18         started        signatures3 process4 dnsIp5 80 85.208.108.63, 49727, 80 ENZUINC-US Netherlands 13->80 62 C:\Windows\Installer\MSI813D.tmp, PE32 13->62 dropped 64 C:\Users\user\AppData\Roaming\aclui.dll, PE32+ 13->64 dropped 66 C:\Windows\Installer\MSI8070.tmp, PE32 13->66 dropped 68 3 other files (none is malicious) 13->68 dropped 132 Drops executables to the windows directory (C:\Windows) and starts them 13->132 20 MSI813D.tmp 1 13->20         started        22 msiexec.exe 13->22         started        file6 signatures7 process8 process9 24 rundll32.exe 20->24         started        process10 26 rundll32.exe 1 12 24->26         started        dnsIp11 76 barsen.monster 94.232.249.86, 49732, 49742, 49770 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 26->76 78 kurvabbr.pw 94.232.249.87, 49731, 49738, 49741 INT-PDN-STE-ASSTEPDNInternalASSY Syrian Arab Republic 26->78 116 Contains functionality to inject threads in other processes 26->116 118 Injects code into the Windows Explorer (explorer.exe) 26->118 120 Sets debug register (to hijack the execution of another thread) 26->120 122 4 other signatures 26->122 30 explorer.exe 90 11 26->30 injected signatures12 process13 dnsIp14 82 kalopvard.com 185.93.221.101, 443, 49771, 49772 OBLTEL-ASRU Switzerland 30->82 84 ultroawest.com 77.83.196.180, 443, 49755, 49756 ASN-MOLMoscowRussiaRU Lithuania 30->84 134 System process connects to network (likely due to code injection or exploit) 30->134 136 Checks if browser processes are running 30->136 138 Contains functionality to steal Internet Explorer form passwords 30->138 140 Tries to harvest and steal browser information (history, passwords, etc) 30->140 34 rundll32.exe 30->34         started        37 rundll32.exe 12 30->37         started        39 cmd.exe 30->39         started        41 10 other processes 30->41 signatures15 process16 signatures17 86 System process connects to network (likely due to code injection or exploit) 34->86 88 Injects code into the Windows Explorer (explorer.exe) 34->88 90 Writes to foreign memory regions 34->90 92 Injects a PE file into a foreign processes 34->92 94 Allocates memory in foreign processes 37->94 96 Modifies the context of a thread in another process (thread injection) 37->96 98 Creates a thread in another existing process (thread injection) 37->98 43 net.exe 39->43         started        46 conhost.exe 39->46         started        100 Uses net.exe to modify the status of services 41->100 102 Uses ipconfig to lookup or modify the Windows network settings 41->102 104 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 41->104 106 Performs a network lookup / discovery via net view 41->106 48 net.exe 41->48         started        50 systeminfo.exe 41->50         started        52 WMIC.exe 41->52         started        54 16 other processes 41->54 process18 signatures19 124 Writes to foreign memory regions 43->124 126 Allocates memory in foreign processes 43->126 56 net1.exe 43->56         started        58 net1.exe 48->58         started        128 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 50->128 60 WmiPrvSE.exe 50->60         started        130 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 52->130 process20
Score:
100%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hlen5tmclupnpkdo3bwxpcnujqhqyrt5j5ecvmeghxy3pmpd5dga._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
execution
Link:
https://tria.ge/reports/240623-v8vn4axhqa/
Behaviour
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Command and Scripting Interpreter: JavaScript
Drops file in Windows directory
Enumerates connected drives
Executes dropped EXE
Loads dropped DLL
Blocklisted process makes network request
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3ac8decd825d1ed7a86ed86d7789b44c0f0c467d4f482ab0863df1b7b1e3e8cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cerberus
Create hunting rule
Author:Jean-Philippe Teissier / @Jipe_
Description:Cerberus
Rule name:GuLoader
Create hunting rule
Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:unknown_dropper
Create hunting rule
Author:#evilcel3ri
Description:Detects an unknown dropper
Rule name:Windows_Trojan_BruteRatel_4110d879
Create hunting rule
Author:Elastic Security
Rule name:win_bazarbackdoor_auto
Create hunting rule
Author:Felix Bilstein - yara-signator at cocacoding dot com
Description:Detects win.bazarbackdoor.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments