MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments

SHA256 hash: 8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
SHA3-384 hash: a8c62b6fb85ff77b358136354fa5ce4ea8e0550f12260448a7ff9bb0f47904e406245ac390c51428f6b31aacb7d7c29b
SHA1 hash: d8b3968a08b12e8ce4b1eec04eb5c86ad910145c
MD5 hash: fd6992463689acf855ef55d06a01061a
humanhash: winner-virginia-alaska-sweet
File name:fd6992463689acf855ef55d06a01061a.dll
Download: download sample
Signature BazaLoader
File size:1'318'026 bytes
First seen:2021-09-28 06:26:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 126feacb5b6732ad1a4ed77f47cf4f6d (8 x BazaLoader)
ssdeep 24576:TqSPG9Jg6TYbmGBtf9efojVpVwKYs1tRCS7SPFL3EOGTWqG5QVEzAJ24GOy2ioLi:TyWbmGBtf9efojVpVwKYs1tR/7SPFL3H
Threatray 9 similar samples on MalwareBazaar
TLSH T1FC55D696EE6351E0F4B7E23586A67627B9713D148334C78783005B171B62FF099BE38A
Reporter @abuse_ch
Tags:BazaLoader dll exe

Intelligence


File Origin
# of uploads :
1
# of downloads :
97
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
fd6992463689acf855ef55d06a01061a.dll
Verdict:
No threats detected
Analysis date:
2021-09-28 06:43:22 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Connection attempt
Sending a custom TCP request
Malware family:
BazarBackdoor
Verdict:
Malicious
Result
Threat name:
Bazar Loader
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492040 Sample: TWsmIoYqC6.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 65 Detected Bazar Loader 2->65 67 Sigma detected: CobaltStrike Load by Rundll32 2->67 69 Sigma detected: Dridex Process Pattern 2->69 71 Sigma detected: Suspicious Svchost Process 2->71 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        process3 process4 15 rundll32.exe 14 7->15         started        19 rundll32.exe 7->19         started        21 rundll32.exe 14 7->21         started        23 19 other processes 7->23 dnsIp5 47 161.35.19.83, 443, 49843, 49856 DIGITALOCEAN-ASNUS United States 15->47 49 www.amazon.com 15->49 51 tp.47cf2c8c9-frontier.amazon.com 15->51 53 Writes to foreign memory regions 15->53 55 Allocates memory in foreign processes 15->55 57 Modifies the context of a thread in another process (thread injection) 15->57 25 svchost.exe 15->25         started        59 System process connects to network (likely due to code injection or exploit) 19->59 61 Sample uses process hollowing technique 19->61 63 Injects a PE file into a foreign processes 19->63 29 svchost.exe 21->29         started        31 iexplore.exe 7 146 23->31         started        33 rundll32.exe 23->33         started        signatures6 process7 dnsIp8 35 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 443, 49892, 49893 YAHOO-IRDGB United Kingdom 25->35 37 www.google.com 142.250.185.196, 443, 49896, 49899 GOOGLEUS United States 25->37 43 6 other IPs or domains 25->43 73 System process connects to network (likely due to code injection or exploit) 25->73 75 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 25->75 77 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->77 79 Performs a network lookup / discovery via net view 25->79 39 dart.l.doubleclick.net 142.250.186.70, 443, 49798, 49799 GOOGLEUS United States 31->39 41 geolocation.onetrust.com 104.20.184.68, 443, 49774, 49775 CLOUDFLARENETUS United States 31->41 45 10 other IPs or domains 31->45 signatures9
Threat name:
Win64.Trojan.Sdum
Status:
Malicious
First seen:
2021-09-28 06:27:11 UTC
AV detection:
2 of 45 (4.44%)
Threat level:
  5/5
Result
Malware family:
bazarloader
Score:
  10/10
Tags:
family:bazarloader dropper loader
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
MD5 hash:
fd6992463689acf855ef55d06a01061a
SHA1 hash:
d8b3968a08b12e8ce4b1eec04eb5c86ad910145c

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f

(this sample)

  
Delivery method
Distributed via web download

Comments