MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 11


Intelligence 11 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
SHA3-384 hash: 7572ca4a14ce96803bab353a30db9920892712ede470ca15b7e950e1de95a39083576a2de3589a9f8e802a98b1666458
SHA1 hash: 570c4ab78cf4bb22b78aac215a4a79189d4fa9ed
MD5 hash: 3cb6b99b20930ac0dbadc10899dc511e
humanhash: uniform-paris-sodium-december
File name:das.msi
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'669'120 bytes
First seen:2024-10-03 18:42:30 UTC
Last seen:2024-11-03 08:59:02 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 49152:5Sj3YhW8zBQSc0ZnSKSZKumZr7A+zafUWM1q:oYY0ZnQK/A7fQ
Threatray 209 similar samples on MalwareBazaar
TLSH T1D375D0227386C537C96E01303A2AD66B5579FCB74B3140DBA3C8291E9EB44D16739FA3
TrID 80.0% (.MSI) Microsoft Windows Installer (454500/1/170)
10.7% (.MST) Windows SDK Setup Transform script (61000/1/5)
7.8% (.MSP) Windows Installer Patch (44509/10/5)
1.4% (.) Generic OLE2 / Multistream Compound (8000/1)
Magika msi
Reporter k3dg3___
Tags:BazaLoader Brute Ratel BruteRatel Latrodectus LUNAR SPIDER msi

Intelligence

File Origin
# of uploads :
3
# of downloads :
168
Origin country :
US US
Vendor Threat Intelligence
Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=66fee6ad780a9b632d22ba9c
Tags:
Shellcode
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
fingerprint lolbin packed peloader remote shell32 wix
Link:
https://www.filescan.io/uploads/66fee5b71d5b53736aa4be5d/reports/23ab8886-3c72-4166-b63f-0319fe0f79d4/overview
Verdict:
Unknown
Link:
https://www.hybrid-analysis.com/sample/ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Result
Verdict:
SUSPICIOUS
Link:
https://labs.inquest.net/dfi/sha256/ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader, BruteRatel, Latrodectus
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1525187
Signature
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Drops executables to the windows directory (C:\Windows) and starts them
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Sets debug register (to hijack the execution of another thread)
Sigma detected: RunDLL32 Spawning Explorer
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Uses known network protocols on non-standard ports
Writes to foreign memory regions
Yara detected Bazar Loader
Yara detected BruteRatel
Yara detected Latrodectus
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1525187 Sample: das.msi Startdate: 03/10/2024 Architecture: WINDOWS Score: 100 40 tiguanin.com 2->40 42 isomicrotich.com 2->42 44 2 other IPs or domains 2->44 56 Suricata IDS alerts for network traffic 2->56 58 Found malware configuration 2->58 60 Yara detected Latrodectus 2->60 62 7 other signatures 2->62 8 rundll32.exe 2->8         started        10 msiexec.exe 14 40 2->10         started        14 msiexec.exe 2 2->14         started        signatures3 process4 file5 16 rundll32.exe 12 8->16         started        28 C:\Windows\Installer\MSIA029.tmp, PE32 10->28 dropped 30 C:\Users\user\AppData\...\vierm_soft_x64.dll, PE32+ 10->30 dropped 32 C:\Windows\Installer\MSI9F0E.tmp, PE32 10->32 dropped 34 3 other files (none is malicious) 10->34 dropped 66 Drops executables to the windows directory (C:\Windows) and starts them 10->66 20 msiexec.exe 10->20         started        22 MSIA029.tmp 10->22         started        signatures6 process7 dnsIp8 36 greshunka.com 82.115.223.39, 57458, 57459, 57460 MIDNET-ASTK-TelecomRU Russian Federation 16->36 38 bazarunet.com 80.78.24.30, 49701, 49702, 49703 CYBERDYNELR Cyprus 16->38 48 System process connects to network (likely due to code injection or exploit) 16->48 50 Contains functionality to inject threads in other processes 16->50 52 Injects code into the Windows Explorer (explorer.exe) 16->52 54 6 other signatures 16->54 24 explorer.exe 49 1 16->24 injected signatures9 process10 dnsIp11 46 isomicrotich.com 188.114.97.3, 443, 62255, 62257 CLOUDFLARENETUS European Union 24->46 64 System process connects to network (likely due to code injection or exploit) 24->64 signatures12
Score:
100%
Verdict:
Malware
File Type:
ARCHIVE
Link:
https://malprob.io/report/ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ilzf5ujx7s22nmxy74hpntpt7hybvzs4urtfe6vfu3u2ugkxgiq._file
Verdict:
malicious
Label(s):
bruteratelc4
Create hunting rule
Similar samples:
1b9e17bfbd292075956cc2006983f91e17aed94ebbb0fb370bf83d23b14289fa
BazaLoader
2b0af73350b8a2b37617ca7632de9a0657a20976c2402717e7dc4bef7dcbabdb
BazaLoader
2dcaecbd2d152af35590f83accbaea894e2b6e55284cd187ad6308fd300d42ed
BazaLoader
3b86c9516bd5d57758ab976e32af2d7873d7ad0b0e063a49ee13c168f2c1e980
BazaLoader
a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d
BazaLoader
error
BazaLoader
+ 199 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery persistence privilege_escalation
Link:
https://tria.ge/reports/241003-xcw86atgpb/
Behaviour
Checks SCSI registry key(s)
Modifies data under HKEY_USERS
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Drops file in Windows directory
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Blocklisted process makes network request
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/7b4a8254-51b3-4b11-8ce2-704d322c0f7a
Malware family:
Latrodectus
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ea1792f689bf/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:DebuggerCheck__API
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Create hunting rule
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Detect_LATAM_MSI_Banker
Create hunting rule
Rule name:Detect_Malicious_VBScript_Base64
Create hunting rule
Author:daniyyell
Description:Detects malicious VBScript patterns, including Base64 decoding, file operations, and PowerShell.
Rule name:maldoc_find_kernel32_base_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:maldoc_OLE_file_magic_number
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:suspicious_msi_file
Create hunting rule
Author:Johnk3r
Description:Detects common strings, DLL and API in Banker_BR

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BazaLoader

Java Script (JS) js a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d

BazaLoader

Microsoft Software Installer (MSI) msi ea1792f689bfe5ad3597c7f877b66f9fcf80d732e5233293d52d374d50cab991

(this sample)

BazaLoader

Executable exe 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a

  
Dropping
SHA256 97a6331239d451d7dfe15bfe17de8b419df741ae68bacd440808f8b8d3f99b8a
  
Delivery method
Distributed via e-mail link
  
URLhaus
https://urlhaus.abuse.ch/url/3208630/
  
Dropping
MD5 b1ca25f5bb4edd293b3711c77eb99a6f
  
Dropped by
SHA256 a9a4640e3887e4ee71ae0e0624afa6b8fa6a22cdffd190f1d83234109dd8496d
  
Dropped by
MD5 c05645ed2ec3ff5c541b99d20011a488

Comments