MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
SHA3-384 hash: 92e295d48b762a3df3fec468a7c70700c246a47d9d4a2e4fb3017b7a4097d0728cf4c9cea49dd9c788d54df4f48e8937
SHA1 hash: 63b96f57b09a4485a2f29f2c3838f388e04912e2
MD5 hash: 9a5b677b30e4bc01c3890e1e33e2864f
humanhash: uncle-florida-dakota-march
File name:dl2_x64_19_386_43385_1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:134'792 bytes
First seen:2021-09-02 15:48:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4be2a4fbb4dbdae3669d61c0451014e8 (1 x BazaLoader)
ssdeep 3072:Giki2KN4AP1ESqLkCaCJAn/2wQhxDHEqXHVIf3mDICobNc:Giki2KeAdpCNW/2xDkIHV+mDb
Threatray 5 similar samples on MalwareBazaar
TLSH T14ED3AE17629B0EB7D062CE72B69B0D26D73774511B290F0D334823AA7E677509F6DE20
Reporter malwarelabnet
Tags:BazaLoader BazarBackdoor exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
190
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dl2_x64_19_386_43385_1.dll
Verdict:
No threats detected
Analysis date:
2021-09-02 15:53:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/677bc5b9-18ff-4e8b-9ba3-f5dbe43bb5ba

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/184841/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
Launching a process
Sending a UDP request
Deleting a recently created file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b438d225-7d47-4b96-9072-54fe54779649
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844168
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 476599 Sample: dl2_x64_19_386_43385_1.dll Startdate: 02/09/2021 Architecture: WINDOWS Score: 100 46 Detected Bazar Loader 2->46 48 Sigma detected: CobaltStrike Load by Rundll32 2->48 50 Sigma detected: Suspicious Svchost Process 2->50 52 Sigma detected: Regsvr32 Command Line Without DLL 2->52 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 dnsIp4 13 regsvr32.exe 14 7->13         started        17 iexplore.exe 1 73 7->17         started        19 cmd.exe 1 7->19         started        21 10 other processes 7->21 42 192.168.2.1 unknown unknown 9->42 54 System process connects to network (likely due to code injection or exploit) 9->54 signatures5 process6 dnsIp7 44 164.90.198.57, 443, 49754, 49762 DIGITALOCEAN-ASNUS United States 13->44 56 Contains functionality to inject code into remote processes 13->56 58 Sets debug register (to hijack the execution of another thread) 13->58 60 Writes to foreign memory regions 13->60 62 4 other signatures 13->62 23 svchost.exe 13->23         started        26 iexplore.exe 2 128 17->26         started        28 rundll32.exe 19->28         started        signatures8 process9 dnsIp10 30 164.90.198.61, 443, 49765, 49766 DIGITALOCEAN-ASNUS United States 23->30 32 164.90.198.77, 443, 49771, 49773 DIGITALOCEAN-ASNUS United States 23->32 34 164.90.198.79, 443, 49768, 49769 DIGITALOCEAN-ASNUS United States 23->34 36 dart.l.doubleclick.net 216.58.215.230, 443, 49739, 49740 GOOGLEUS United States 26->36 38 geolocation.onetrust.com 104.20.184.68, 443, 49731, 49732 CLOUDFLARENETUS United States 26->38 40 10 other IPs or domains 26->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6/
Verdict:
unknown
Similar samples:
a73d9e034ae3ed8b51b62c752ca68098bd7b9a6ea39d6dc4d22d63dca0662cbb
BazaLoader
b71db38d6a0d5662d139518ac16a79f19469d430f180cce83abb3e50411cdad7
BazaLoader
ba99b15688f44ad152da00b86f9d08bf7af0e836257f875a41fc57c487eeb4b2
BazaLoader
d3273accb050f4707e06d9c89fb7109d1ca2b1fba99bec98b78bbbc91e0d3e5a
BazaLoader
d617ac91f216f3fb38c60b1c5bb1f623805d69fdf076636167bb09adfba5af67
BazaLoader
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210902-s9b72adfhr/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Unpacked files
SH256 hash:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
MD5 hash:
9a5b677b30e4bc01c3890e1e33e2864f
SHA1 hash:
63b96f57b09a4485a2f29f2c3838f388e04912e2
Link:
https://www.unpac.me/results/419a5358-fc98-4d18-bc7c-8166389631f4/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/020cdb33c05b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/184841/

Comments