MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b
SHA3-384 hash: f85d292105060d0e2cabfec90c301ee40732b4c10fc74050859339de247662b0e52e3e1a234e4f0479814ae8b43065b8
SHA1 hash: 02477a72571cdc7f83fa10d78873aebf7377df43
MD5 hash: 57e8ac3aec87c298a240dc0853747dd5
humanhash: leopard-lion-harry-delaware
File name:57e8ac3aec87c298a240dc0853747dd5.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:280'576 bytes
First seen:2021-04-09 20:12:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7babf25e4ed6abf9b92ec07e1cf261dd (1 x BazarCall, 1 x BazaLoader)
ssdeep 6144:R1urcdRp0ZtFWOorzZvKAHS2c8C2fRx3uQ1UsdHw:Yie2lztHnCO0
Threatray 19 similar samples on MalwareBazaar
TLSH 6C54BF78F7642CE9ED7E027EC9926C9D677239224A96DDCE416467C31E23370DE29E00
Reporter abuse_ch
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
267
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
57e8ac3aec87c298a240dc0853747dd5.exe
Verdict:
No threats detected
Analysis date:
2021-04-09 20:14:45 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98b8fae2-93f6-4219-a063-c400ece9012b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133447/
Detection(s):
SecuriteInfo.com.FileRepMalware.3520.19395.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Connection attempt
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/671776
Signature
Detected Bazar Loader
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b/
Threat name:
Win64.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-04-09 01:46:16 UTC
AV detection:
13 of 29 (44.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=b6ymllnlrgcatfcj2id4euj43umnmllzlz3bz5gtu4g7nmvas45q._file
Verdict:
malicious
Similar samples:
291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b
BazaLoader
3b90a0400e326fe9249c6829be0fb43d64dabe38fbe903109f29c53899e74f5d
BazaLoader
42edefa09a3d85a3d4284f6ef57691c8b409ac00da21c799ae14b1adf17435f0
BazaLoader
624a74c9469e95f404baebd07a8c563baa38e752d391bca5e8894dbc87186388
BazaLoader
6c7386b07716fccd51108a9182a71c6855d6c0504e4fb62004ef004de1bb3bb1
BazaLoader
74da3ea957d693096779aceac7a1bd3ec775291606df62429f73e8a9d9cec682
BazaLoader
cac07a4582d65b74322168e6aed9d7fd05e59e335fb7d1cdb7b5f7149a07d3eb
BazaLoader
d22f536d4d6cc001271855f4467af0bbc656801e1ffa34a8acd905db56cebae0
BazaLoader
e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
BazaLoader
eb1eb139750b9e73d8d27448b93f9a3c0931f50572cd95282e9f205a0caa7e79
BazaLoader
+ 9 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210409-ernsaqsh66/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Tries to connect to .bazar domain
Unpacked files
SH256 hash:
0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b
MD5 hash:
57e8ac3aec87c298a240dc0853747dd5
SHA1 hash:
02477a72571cdc7f83fa10d78873aebf7377df43
Link:
https://www.unpac.me/results/05144596-a9af-4e06-9b40-3a6e25dbf26f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 0fb0c5adab8984099449d207c2513cdd18d62d795e761cf4d3a70df6b2a0973b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1104685/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/133447/

Comments