MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
SHA3-384 hash: 8afb0adcb0a98730ed7f5f9a59eb6de09147f48136eab5660906d9f2bde10c9f6192fdde49b932087b30d2405dbd6b92
SHA1 hash: 78b4eb7d363e017eb06e03408d7952bbb843f9a9
MD5 hash: 9c8696dbb48add540a75737327c537d2
humanhash: finch-diet-michigan-charlie
File name:msitest2.msi
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'608'192 bytes
First seen:2024-02-11 16:36:43 UTC
Last seen:2024-02-11 18:23:49 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:yErvYpW8zBQSc0ZnSKeZKumZr7Amyq3TGtezO:RYQ0ZncK/AEs
TLSH T15F75C0227386C537C96E01303A29D66B5579FDB74B3140DBA3C82D2EAE744C16639FA3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Reporter smica83
Tags:BazaLoader Lotus msi


Avatar
smica83
hxxps://45.140.146[.156/share/

Intelligence

File Origin
# of uploads :
2
# of downloads :
134
Origin country :
HU HU
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/475750/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.71502337.16286.16812.UNOFFICIAL
Create hunting rule

Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
lolbin remote shell32
Link:
https://www.filescan.io/uploads/65c8f7afac375bec15e40fd7/reports/d78fbb29-c630-4934-af9d-72e77b9e2ec1/overview
Verdict:
Malicious
Labled as:
Trojan.MSI.Agent
Link:
https://www.hybrid-analysis.com/sample/94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Result
Verdict:
MALICIOUS
Link:
https://labs.inquest.net/dfi/sha256/94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/1390404
Signature
Antivirus detection for URL or domain
Drops executables to the windows directory (C:\Windows) and starts them
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1390404 Sample: msitest2.msi Startdate: 11/02/2024 Architecture: WINDOWS Score: 92 45 mastralakkot.live 2->45 47 fluraresto.me 2->47 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 2 other signatures 2->59 7 msiexec.exe 9 2->7         started        10 msiexec.exe 15 38 2->10         started        13 rundll32.exe 2 2->13         started        15 rundll32.exe 2->15         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\...\MSI5ABF.tmp, PE32 7->27 dropped 29 C:\Users\user\AppData\Local\...\MSI5A8F.tmp, PE32 7->29 dropped 43 4 other malicious files 7->43 dropped 31 C:\Windows\Installer\MSI5E86.tmp, PE32 10->31 dropped 33 C:\Windows\Installer\MSI5D3C.tmp, PE32 10->33 dropped 35 C:\Windows\Installer\MSI5C8F.tmp, PE32 10->35 dropped 37 C:\Users\user\AppData\...\setordinal.dll, PE32+ 10->37 dropped 63 Drops executables to the windows directory (C:\Windows) and starts them 10->63 17 msiexec.exe 10->17         started        19 msiexec.exe 10->19         started        21 MSI5E86.tmp 10->21         started        39 C:\Users\user\AppData\...\Update_9b697234.dll, PE32+ 13->39 dropped 41 :wtfbbq (copy), PE32+ 13->41 dropped 23 rundll32.exe 12 13->23         started        signatures6 process7 dnsIp8 49 mastralakkot.live 104.21.51.238, 443, 49737 CLOUDFLARENETUS United States 23->49 51 fluraresto.me 172.67.166.24, 443, 49736 CLOUDFLARENETUS United States 23->51 61 System process connects to network (likely due to code injection or exploit) 23->61 signatures9
Score:
72%
Verdict:
Malware
File Type:
MSI
Link:
https://malprob.io/report/94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a/
Threat name:
Win64.Trojan.Bazaloader
Create hunting rule
Status:
Malicious
First seen:
2024-02-07 06:20:13 UTC
File Type:
Binary (Archive)
Extracted files:
80
AV detection:
19 of 38 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ss4kw425ka4iiwc73nnhgwz6unefw2yzygezsonfwlakqbqwiafa._file
Verdict:
malicious
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://tria.ge/reports/240211-t4ss9sbg63/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BazarBackdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94b8ab735d503884585fdb5a735b3ea3485b6b19c1899939a5b2c0a80616400a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/ShanHolo/status/1756696815611592879?t=x5PatER8k8xJiTNRFXlR0A&s=19
Cape
Cape
https://www.capesandbox.com/analysis/475750/

Comments