MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1
SHA3-384 hash: dfc978a58eb782e1316fbc561aee94677fae2c67558fb42a49e8967896e689889f6a9d8bb634f8c458baf9bffb3e09b5
SHA1 hash: 90e28ff7cc0cc20ae2f10652f9ffda01107470ed
MD5 hash: efad3e8098fdc4778d1744abb659fb04
humanhash: network-oxygen-mango-sixteen
File name:1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:549'888 bytes
First seen:2021-10-13 09:30:07 UTC
Last seen:2021-11-18 11:56:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bb371708c55cf92a872421fa64c41b03 (3 x BazaLoader, 1 x IcedID)
ssdeep 12288:DXI/lsYS/im/YnmCPksStIYotSPNwGG+Sft:DX67zmCPksUIYMO+GG+U
Threatray 33 similar samples on MalwareBazaar
TLSH T103C49E56FBA449A5E127C1388D338545E6727C9A0B60CADF23A4532E1F33FD0897EB61
Reporter madjack_red
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.dll
Verdict:
No threats detected
Analysis date:
2021-10-13 09:42:52 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36213e4e-7744-4056-bfe7-06c5f50e63bc

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197141/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.47164559.8427.12592.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6166a725fd35fe780c3cdc11/reports/498bdadb-c74d-4bf9-a6e1-acef04ac27e3/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/b7c424b7-5d2a-4bad-987f-3dcc56c225ea
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/869471
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501897 Sample: 1.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 84 30 Multi AV Scanner detection for submitted file 2->30 32 Detected Bazar Loader 2->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->34 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 13 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 6 other processes 7->19 dnsIp5 28 164.90.229.209, 443, 49778 DIGITALOCEAN-ASNUS United States 11->28 36 System process connects to network (likely due to code injection or exploit) 11->36 38 Writes to foreign memory regions 11->38 40 Allocates memory in foreign processes 11->40 42 2 other signatures 11->42 21 chrome.exe 15 11->21         started        24 rundll32.exe 15->24         started        signatures6 process7 dnsIp8 26 167.99.242.155, 443, 49859, 49861 DIGITALOCEAN-ASNUS United States 21->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 13:14:18 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1298c6133f76de5491828ab2eac13325c21249a1329c971f6b60e7ed85827280
BazaLoader
37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
BazaLoader
5e1f7246b57c5a54c246d40ba8adcdd2fdff29b8760c7dc7ca5893b4764e6949
BazaLoader
a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
BazaLoader
dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10
BazaLoader
e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
BazaLoader
+ 23 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211013-lgjcbadha9/
Behaviour
Blocklisted process makes network request
Tries to connect to .bazar domain
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1
MD5 hash:
efad3e8098fdc4778d1744abb659fb04
SHA1 hash:
90e28ff7cc0cc20ae2f10652f9ffda01107470ed
Link:
https://www.unpac.me/results/1b07b648-d45f-40b4-a6cd-b527cdea1e25/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197141/

Comments