MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c
SHA3-384 hash: bb21b4fcf242acabe9f10c66e418bbc07b78a002ae5d7048def4defc2deadba09c14148201cdc76560ed97ffd311bf5a
SHA1 hash: 003b3cbfebafb4cdcfd0ccb31c5782183208a88f
MD5 hash: fd3b68414ba59fc373c8cfb58e613724
humanhash: mountain-thirteen-july-cardinal
File name:1 (18)
Download: download sample
Signature BazaLoader
Create hunting rule
File size:166'899 bytes
First seen:2020-10-14 05:48:47 UTC
Last seen:2020-10-14 07:21:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8b2f0be995b29369d7894ee3ef5a4c19 (1 x BazaLoader)
ssdeep 3072:QjlSXfWqPYWzwGqZepF7K09yqDliRBWsalIR:KlqHwGaep43qDwX
Threatray 127 similar samples on MalwareBazaar
TLSH BEF35D0A725136FAD46387B84862820AFFFB75601B148B9F476446352E262D1BE3DFF1
Reporter JAMESWT_WT
Tags:BazaLoader SNAB-RESURS OOO

Code Signing Certificate

Organisation:DigiCert High Assurance EV Root CA
Issuer:DigiCert High Assurance EV Root CA
Algorithm:sha1WithRSAEncryption
Valid from:Nov 10 00:00:00 2006 GMT
Valid to:Nov 10 00:00:00 2031 GMT
Serial number: 02AC5C266A0B409B8F0B79F2AE462577
Intelligence: 204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70667/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44065288.10285.21326.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Sending a custom TCP request
Launching cmd.exe command interpreter
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/490609
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Sample uses process hollowing technique
Writes to foreign memory regions
Yara detected Keylogger Generic
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297755 Sample: 1 (18) Startdate: 14/10/2020 Architecture: WINDOWS Score: 84 46 Multi AV Scanner detection for submitted file 2->46 48 May check the online IP address of the machine 2->48 50 Performs a network lookup / discovery via net view 2->50 52 Yara detected Keylogger Generic 2->52 8 1 (18).exe 14 2->8         started        12 1 (18).exe 2->12         started        process3 dnsIp4 40 breezdesign.com 34.221.202.231, 443, 49714, 49716 AMAZON-02US United States 8->40 54 Hijacks the control flow in another process 8->54 56 Writes to foreign memory regions 8->56 58 Allocates memory in foreign processes 8->58 60 3 other signatures 8->60 14 cmd.exe 16 8->14         started        signatures5 process6 dnsIp7 42 myexternalip.com 216.239.32.21, 443, 49726 GOOGLEUS United States 14->42 44 cuprinc.com 3.137.180.197, 443, 49718, 49720 AMAZON-02US United States 14->44 62 Performs a network lookup / discovery via net view 14->62 18 net.exe 1 14->18         started        20 net.exe 1 14->20         started        22 net.exe 1 14->22         started        24 2 other processes 14->24 signatures8 process9 process10 26 conhost.exe 18->26         started        28 net1.exe 1 18->28         started        30 conhost.exe 20->30         started        32 net1.exe 1 20->32         started        34 conhost.exe 22->34         started        36 conhost.exe 24->36         started        38 conhost.exe 24->38         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2020-10-14 00:09:24 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hozdtebacbv66a5yi4nj42xzgvap624no6eafsmjh3d7p5jgja6a._file
Verdict:
malicious
Similar samples:
0749bf91a4fb4a8d74096ea4d202e07f3dc72feb693008b1d0b1ee68c3f80281
BazaLoader
1e35935ac6307baef04e92907b1afd15e1ee7f0ed990fa14cce8c01a9e45381e
BazaLoader
3090242812c446fcdcd906f3580b9af0889e4efae53f86da291a24eaa547feed
BazaLoader
364a38d0c2456cc21bc0d248c1233a8d0e47b988a03be3896ad760544b231336
BazaLoader
37ebdaa9539ebdd7606e29dc66f048bb70042d03e75ddc01147cd8277ce0509b
BazaLoader
5b07ccbbf8f7b7a34bf03a254431fe36cc34cfac41bb8a72c55b9050fa8696c9
BazaLoader
7dd760acef6e4e8852e91cec3c0b1ea1e4a8dc5f7ae43737f0d05714c0f9e1ba
BazaLoader
aa1be103378c35cac611142349b9d6d81eced0713cd7cba343fa93648494102e
BazaLoader
bfad59ad62d310c2f435c02e6e7621a3ff8779b15029e6f949efe4eeb539a709
BazaLoader
cf535eb0782fd0ee4c246fcca439c85b79f5854e80ae1128d6314b7d76fef110
BazaLoader
+ 117 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
backdoor family:bazarbackdoor
Link:
https://tria.ge/reports/201014-nt1n9p9a7j/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
BazarBackdoor
Unpacked files
SH256 hash:
3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c
MD5 hash:
fd3b68414ba59fc373c8cfb58e613724
SHA1 hash:
003b3cbfebafb4cdcfd0ccb31c5782183208a88f
Link:
https://www.unpac.me/results/728c21d4-a60c-4377-95ee-cfe6622f68da/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/3bb2399020106bef03b8471a9e6af93540ff6b8d778802c9893ec7f7f526483c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/70667/

Comments