MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382
SHA3-384 hash: 90ec3f5a1f8991e7babd94014bea71a9e4f267692bd1969d8a1e453e2fcd3927bda6c0f7c5c9075898e8124baa91722b
SHA1 hash: 20693b9702b5515717b9ccfc60022c47eb07a93a
MD5 hash: c07391a50e4ad1791818e0fef23714f9
humanhash: alabama-don-twenty-pip
File name:c07391a50e4ad1791818e0fef23714f9.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'318'026 bytes
First seen:2021-09-28 06:26:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 126feacb5b6732ad1a4ed77f47cf4f6d (8 x BazaLoader)
ssdeep 24576:TqSPG9Jg6TYbmGBtf9efojVpVwKYs1tRCS7SPFL3EOGTWqG5QVEzAJ24GOy2ioLN:TyWbmGBtf9efojVpVwKYs1tR/7SPFL34
Threatray 13 similar samples on MalwareBazaar
TLSH T15555D696EE6351E0F4B7E23586A67627B9713D148334C78783005B171B62FF099BE38A
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
c07391a50e4ad1791818e0fef23714f9.dll
Verdict:
No threats detected
Analysis date:
2021-09-28 06:45:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d46e1000-dbf0-41e2-b170-1bdad97d0e49

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Bazar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192386/
Detection(s):
SecuriteInfo.com.Win64.BazarLoader.AS.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7dd86f60-a379-4269-99b8-9242274a8f1b
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859602
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492032 Sample: 6SYurvkD8X.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 57 Detected Bazar Loader 2->57 59 Sigma detected: CobaltStrike Load by Rundll32 2->59 61 Sigma detected: Suspicious Svchost Process 2->61 63 Sigma detected: Regsvr32 Command Line Without DLL 2->63 7 loaddll64.exe 1 2->7         started        process3 process4 9 regsvr32.exe 14 7->9         started        13 rundll32.exe 7->13         started        15 rundll32.exe 7->15         started        17 20 other processes 7->17 dnsIp5 43 161.35.19.83, 443, 49846, 49857 DIGITALOCEAN-ASNUS United States 9->43 45 new-fp-shed.wg1.b.yahoo.com 87.248.100.216, 443, 49847 YAHOO-IRDGB United Kingdom 9->45 47 www.yahoo.com 9->47 71 System process connects to network (likely due to code injection or exploit) 9->71 73 Writes to foreign memory regions 9->73 75 Allocates memory in foreign processes 9->75 19 svchost.exe 9->19         started        49 www-amazon-com.customer.fastly.net 162.219.225.118, 443, 49859, 49890 ALLO-COMMUS United States 13->49 55 2 other IPs or domains 13->55 77 Modifies the context of a thread in another process (thread injection) 13->77 79 Sample uses process hollowing technique 13->79 81 Injects a PE file into a foreign processes 13->81 23 svchost.exe 13->23         started        51 87.248.100.215, 443, 49873, 49895 YAHOO-IRDGB United Kingdom 15->51 53 www.yahoo.com 15->53 25 svchost.exe 15->25         started        27 iexplore.exe 2 158 17->27         started        29 rundll32.exe 17->29         started        signatures6 process7 dnsIp8 31 www.google.com 142.250.185.196, 443, 49887, 49898 GOOGLEUS United States 19->31 33 myexternalip.com 34.117.59.81, 443, 49900 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 19->33 39 6 other IPs or domains 19->39 65 System process connects to network (likely due to code injection or exploit) 19->65 67 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 19->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->69 35 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49812, 49814 YAHOO-DEBDE United Kingdom 27->35 37 dart.l.doubleclick.net 142.250.186.70, 443, 49786, 49787 GOOGLEUS United States 27->37 41 14 other IPs or domains 27->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382/
Threat name:
Win64.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 06:27:12 UTC
AV detection:
1 of 45 (2.22%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
01563f8120225436d86eb915c4ccdf97a78fda65c4b3fa613a30e3faf0f35840
BazaLoader
0ade5a6d2fbbec04e69053d50ca34587f413fd28ddd8ccec490b3d0196db135e
BazaLoader
1d08bcc9e5ed8f7bbc161f81790198f8100e9a34952ccf4227f2625c6a15f445
BazaLoader
323fb5f9e95ef64d5798c6f6948d1dca562232a8918a0c7e7d966d573d5c1918
BazaLoader
8542e790264aead4545ac9debccff734d9dbe33993c5a419361befb87ea4a79a
BazaLoader
8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99
BazaLoader
+ 3 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210928-g7rzxsaha3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382
MD5 hash:
c07391a50e4ad1791818e0fef23714f9
SHA1 hash:
20693b9702b5515717b9ccfc60022c47eb07a93a
Link:
https://www.unpac.me/results/21aecbae-fea8-408a-adad-3cdfff38bb9b/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/0f8c4123a184/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646246/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192386/

Comments