MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 14


Intelligence 14 IOCs YARA 9 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
SHA3-384 hash: 4135f82d477dfc2be0d6158faffc18c9995bdd68c1d01a4fc02b7ea9fd5bcc95fb274001a355e60ba02388bc11120cd0
SHA1 hash: 178bba8686ea329b884a652fe0f8a0ae0c53d367
MD5 hash: b1ca25f5bb4edd293b3711c77eb99a6f
humanhash: lithium-neptune-thirteen-lithium
File name:vierm_soft_x64.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:767'488 bytes
First seen:2024-10-03 18:43:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3f19c8462acea3b286599d6db4d7d49 (1 x BazaLoader, 1 x Latrodectus)
ssdeep 12288:/h/M5nsxW5fFcrGn7Q21Svj07MGpmeSM6q4LWYv1AoMJPPyogk31OkRK1OKeQeq:/rD+JPPn8kM1Oej
TLSH T16FF4BF17B3A016F0E477D23ACA638E56FAF1F8194720AB9703D4457A5F233A05A7E316
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Magika pebin
Reporter k3dg3___
Tags:BazaLoader Brute Ratel BruteRatel exe Latrodectus

Intelligence

File Origin
# of uploads :
1
# of downloads :
466
Origin country :
US US
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Document-18-33-08.js
Verdict:
Malicious activity
Analysis date:
2024-10-03 18:42:57 UTC
Tags:
loader
Link:
https://app.any.run/tasks/f85c8090-fd7a-4029-b5fa-9d6b4a8c48a3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Clean
Score:
50%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fee6af780a9b632d22baaf
Tags:
ransomware exploit emotet
Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint masquerade microsoft_visual_cc packed peloader
Link:
https://www.filescan.io/uploads/66fee5f3c942a2af176df71e/reports/77df20af-3457-4efa-9ade-37133f0f5ae7/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a23b41af-bd2e-4945-8aac-c6b653785e1d
Result
Threat name:
Bazar Loader, BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1525190
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525190 Sample: vierm_soft_x64.dll.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 39 tiguanin.com 2->39 41 isomicrotich.com 2->41 43 2 other IPs or domains 2->43 51 Suricata IDS alerts for network traffic 2->51 53 Found malware configuration 2->53 55 Yara detected Latrodectus 2->55 57 7 other signatures 2->57 9 loaddll64.exe 1 2->9         started        signatures3 process4 process5 11 rundll32.exe 12 9->11         started        15 rundll32.exe 9->15         started        17 cmd.exe 1 9->17         started        19 7 other processes 9->19 dnsIp6 47 greshunka.com 82.115.223.39, 49722, 49727, 49728 MIDNET-ASTK-TelecomRU Russian Federation 11->47 49 bazarunet.com 80.78.24.30, 49718, 49719, 49720 CYBERDYNELR Cyprus 11->49 61 System process connects to network (likely due to code injection or exploit) 11->61 63 Injects code into the Windows Explorer (explorer.exe) 11->63 65 Sets debug register (to hijack the execution of another thread) 11->65 69 5 other signatures 11->69 21 explorer.exe 11->21 injected 67 Contains functionality to inject threads in other processes 15->67 25 WerFault.exe 18 15->25         started        27 rundll32.exe 17->27         started        29 WerFault.exe 16 19->29         started        31 WerFault.exe 3 16 19->31         started        33 WerFault.exe 16 19->33         started        35 WerFault.exe 19->35         started        signatures7 process8 dnsIp9 45 isomicrotich.com 188.114.96.3, 443, 49773, 49774 CLOUDFLARENETUS European Union 21->45 59 System process connects to network (likely due to code injection or exploit) 21->59 37 WerFault.exe 20 16 27->37         started        signatures10 process11
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6tdgerz2ri5px7blp7bpxuligo7oqnonc5m2raibd4lru7ztofa._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
error
BazaLoader
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/241003-xdgj4a1amn/
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/627956be-e43e-46e0-b494-83dc30a480a1
Unpacked files
SH256 hash:
66b2eb66adf9bcb0b6180609ac2b709193fb39c08cc9e4d03f5bca52c38b580f
MD5 hash:
9d164335af3c08b73d388f62e2052f84
SHA1 hash:
e9c4101ce105b50b6c533f8c57b87383b47825f3
Detections:
win_bazarbackdoor_auto
Create hunting rule
win_brute_ratel_c4_a0
Create hunting rule
Link:
https://www.unpac.me/results/52446544-7c6e-4f11-a438-47f553f2e21f/
SH256 hash:
97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
MD5 hash:
b1ca25f5bb4edd293b3711c77eb99a6f
SHA1 hash:
178bba8686ea329b884a652fe0f8a0ae0c53d367
Link:
https://www.unpac.me/results/52446544-7c6e-4f11-a438-47f553f2e21f/
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/97a6331239d4/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Create hunting rule
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerException__SetConsoleCtrl
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:SEH__vectored
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:ThreadControl__Context
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BazaLoader

Java Script (JS) js a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d

BazaLoader

Microsoft Software Installer (MSI) msi ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991

BazaLoader

Executable exe 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

(this sample)

  
Dropped by
SHA256 ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/3208630/
  
Dropped by
MD5 3cb6b99b20930ac0dbadc10899dc511e

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (GUARD_CF)high
CHECK_PIEMissing Position-Independent Executable (PIE) Protectionhigh
Reviews
IDCapabilitiesEvidence
WIN32_PROCESS_APICan Create Process and ThreadsKERNEL32.dll::CloseHandle
WIN_BASE_APIUses Win Base APIKERNEL32.dll::TerminateProcess
KERNEL32.dll::LoadLibraryExW
KERNEL32.dll::GetStartupInfoW
WIN_BASE_EXEC_APICan Execute other programsKERNEL32.dll::WriteConsoleW
KERNEL32.dll::ReadConsoleW
KERNEL32.dll::SetConsoleCtrlHandler
KERNEL32.dll::SetStdHandle
KERNEL32.dll::GetConsoleOutputCP
KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_APICan Create FilesKERNEL32.dll::CreateFileW

Comments