MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BruteRatel


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674
SHA3-384 hash: 66fa6158bdb7f444ea9e8643963fe5c8449f1021fa3cb0d218de28e05f1a2ac7870f14a0163973e46e3c616881c26b1c
SHA1 hash: 62e23500cc5368e37be47371342784f72e481647
MD5 hash: bc8e744b7004cf5f0d36aba128abb175
humanhash: fanta-one-hawaii-purple
File name:vierm_soft_x64.dll
Download: download sample
Signature BruteRatel
Create hunting rule
File size:682'496 bytes
First seen:2024-09-27 19:55:07 UTC
Last seen:2024-09-27 19:56:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash fc95d9602c39b01774b1f9a2b19b1e87 (2 x BruteRatel, 1 x BazaLoader)
ssdeep 12288:8j1cRMmvhqP3zdeuPmme1jyrbG4qqs4bXqJxA1:8j1cmmvh+z4mm/p08qfXx
TLSH T1EFE4CF01F57180F4E4A7A03C5E77F247E6B234494B2095DF43E48A1E9F23BE51A7A36A
TrID 44.4% (.EXE) Win64 Executable (generic) (10523/12/4)
21.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
8.7% (.ICL) Windows Icons Library (generic) (2059/9)
8.5% (.EXE) OS/2 Executable (generic) (2029/13)
8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter k3dg3___
Tags:BazaLoader Brute Ratel BruteRatel exe Latrodectus

Intelligence

File Origin
# of uploads :
2
# of downloads :
857
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document-19-27-03.js
Verdict:
Malicious activity
Analysis date:
2024-09-27 19:33:45 UTC
Tags:
loader
Link:
https://app.any.run/tasks/6e985929-ed69-406d-80a5-c3ca6ff456b1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
Win.Trojan.Latrodectus-10031447-0
Create hunting rule

Verdict:
Clean
Score:
89.3%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66f70dd44b14762f62125df8
Tags:
n/a
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
masquerade microsoft_visual_cc packed peloader
Link:
https://www.filescan.io/uploads/66f70dd4b0f518b6a9fca049/reports/9fa2eab8-559b-44b7-8cd8-7c8cf7642f8a/overview
Verdict:
Suspicious
Labled as:
Trojan.Latrodectus
Link:
https://www.hybrid-analysis.com/sample/617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/82e95368-5fbc-4e72-a665-0df9abc85718
Result
Threat name:
Bazar Loader, BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1520780
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520780 Sample: vierm_soft_x64.dll.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 32 tiguanin.com 2->32 34 isomicrotich.com 2->34 36 2 other IPs or domains 2->36 46 Suricata IDS alerts for network traffic 2->46 48 Found malware configuration 2->48 50 Yara detected Latrodectus 2->50 52 5 other signatures 2->52 8 loaddll64.exe 1 2->8         started        signatures3 process4 process5 10 rundll32.exe 12 8->10         started        14 rundll32.exe 8->14         started        16 cmd.exe 1 8->16         started        18 16 other processes 8->18 dnsIp6 40 bazarunet.com 185.106.92.54, 49707, 49711, 49722 SUPERSERVERSDATACENTERRU Russian Federation 10->40 42 greshunka.com 82.115.223.39, 49715, 49719, 49736 MIDNET-ASTK-TelecomRU Russian Federation 10->42 44 tiguanin.com 82.115.223.40, 49731, 49735, 49737 MIDNET-ASTK-TelecomRU Russian Federation 10->44 56 System process connects to network (likely due to code injection or exploit) 10->56 58 Injects code into the Windows Explorer (explorer.exe) 10->58 60 Sets debug register (to hijack the execution of another thread) 10->60 64 5 other signatures 10->64 20 explorer.exe 10->20 injected 62 Contains functionality to inject threads in other processes 14->62 24 rundll32.exe 16->24         started        26 WerFault.exe 20 16 18->26         started        28 WerFault.exe 16 18->28         started        30 WerFault.exe 18->30         started        signatures7 process8 dnsIp9 38 isomicrotich.com 188.114.97.3, 443, 49754, 49756 CLOUDFLARENETUS European Union 20->38 54 System process connects to network (likely due to code injection or exploit) 20->54 signatures10
Score:
82%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mf7dd2pxdm3f7zuxdhj7zganoy7ie6spspioo5wrlb6qx7nuoz2a._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/240927-ynnltswhkk/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/750e36e6-6bf0-499b-a4bc-59729a4e2d69
Unpacked files
SH256 hash:
48d439a75fbf8d205a4b864e60b0d608bd26d664641753c32b49771c34f239a6
MD5 hash:
4215b49991cc4bf537f93f578c2bd01f
SHA1 hash:
53612127458b58d49d162fe73e6814c3615a8aa1
Detections:
win_bazarbackdoor_auto
Create hunting rule
win_brute_ratel_c4_a0
Create hunting rule
Link:
https://www.unpac.me/results/76dacbf3-8da9-4741-b47d-e1c10cb95739/
SH256 hash:
617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674
MD5 hash:
bc8e744b7004cf5f0d36aba128abb175
SHA1 hash:
62e23500cc5368e37be47371342784f72e481647
Link:
https://www.unpac.me/results/76dacbf3-8da9-4741-b47d-e1c10cb95739/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:malware_shellcode_hash
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect shellcode api hash value

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

BazaLoader

pdf 3f7a5830f2edc0a5d6943b6a5eabe28f8e26a5ecd7a729495efc4f09f1500fc2

BazaLoader

Java Script (JS) js 2dcaecbd2d152af35590f83accbaea894e2b6e55284cd187ad6308fd300d42ed

BruteRatel

Microsoft Software Installer (MSI) msi 2b0af73350b8a2b37617ca7632de9a0657a20976c2402717e7dc4bef7dcbabdb

BruteRatel

Executable exe 617e31e9f71b365fe69719d3fc980d763e827a4f93d0e776d1587d0bfdb47674

(this sample)

  
Dropped by
SHA256 2b0af73350b8a2b37617ca7632de9a0657a20976c2402717e7dc4bef7dcbabdb
  
Delivery method
Distributed via e-mail attachment
  
URLhaus
https://urlhaus.abuse.ch/url/3194525/
  
Dropped by
MD5 191fc2a008bac8a013e6fc50639c9758

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryW
KERNEL32.dll::GetStartupInfoW
KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW
KERNEL32.dll::CreateFileA

Comments