MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8
SHA3-384 hash: f5473c8e3771489628df41ab4c553d033cb4aa041b531904618ced10ea0135f8732b1403d16c5e54020930ffbfe16a90
SHA1 hash: a64a35879de5eb4b26f307d38d5207df984b0f26
MD5 hash: d8c91300c099ffa596b67afa8d2a4381
humanhash: apart-burger-saturn-echo
File name:Attachments_4.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:231'424 bytes
First seen:2021-11-16 11:22:37 UTC
Last seen:2021-11-16 12:36:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e9b9dc9a1d7fc9680151ec542607c93 (6 x BazaLoader)
ssdeep 3072:s+6lHq17UL+sDGt1CsE7K7NuYerBn/qvysE2ManttSVoFJDHMDe3IO4Jrt9omj:s9q1k+sqRK+ut5/qM+nttSozsy35C9
Threatray 27 similar samples on MalwareBazaar
TLSH T1F534CF5B72E9007BE47B9639C9630A46E771781107219BEF03A0137AAF277D09D3EB60
Reporter JAMESWT_WT
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206382/
Detection(s):
SecuriteInfo.com.W64.Sdum.J.genEldorado.25854.25060.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6193949b2695a62af9f13a00/reports/f98d56d2-baa3-470c-93c3-c8dae24f1a7d/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5dcfb9b8-3d14-469c-941c-b8c426bf9aae
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/890305
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522778 Sample: Attachments_4.dll Startdate: 16/11/2021 Architecture: WINDOWS Score: 80 75 162.33.179.201, 443, 49810 CORENETUS United States 2->75 89 Multi AV Scanner detection for submitted file 2->89 91 Sigma detected: UNC2452 Process Creation Patterns 2->91 11 loaddll64.exe 1 2->11         started        13 rundll32.exe 2->13         started        signatures3 process4 signatures5 16 rundll32.exe 11->16         started        18 cmd.exe 1 11->18         started        21 rundll32.exe 11->21         started        23 6 other processes 11->23 97 Modifies the context of a thread in another process (thread injection) 13->97 99 Injects a PE file into a foreign processes 13->99 process6 signatures7 25 cmd.exe 1 16->25         started        83 Uses ping.exe to sleep 18->83 85 Uses cmd line tools excessively to alter registry or file data 18->85 87 Uses ping.exe to check the status of other devices and networks 18->87 28 rundll32.exe 18->28         started        30 cmd.exe 1 21->30         started        32 cmd.exe 23->32         started        process8 signatures9 95 Uses ping.exe to sleep 25->95 34 rundll32.exe 25->34         started        36 PING.EXE 1 25->36         started        39 conhost.exe 25->39         started        41 cmd.exe 1 28->41         started        43 PING.EXE 30->43         started        45 conhost.exe 30->45         started        47 rundll32.exe 30->47         started        49 conhost.exe 32->49         started        51 2 other processes 32->51 process10 dnsIp11 53 cmd.exe 34->53         started        56 cmd.exe 34->56         started        77 127.0.0.1 unknown unknown 36->77 58 conhost.exe 41->58         started        60 choice.exe 1 41->60         started        62 rundll32.exe 41->62         started        79 192.0.2.221 unknown Reserved 43->79 process12 signatures13 93 Uses cmd line tools excessively to alter registry or file data 53->93 64 reg.exe 53->64         started        67 conhost.exe 53->67         started        69 conhost.exe 56->69         started        71 choice.exe 56->71         started        73 rundll32.exe 56->73         started        process14 signatures15 81 Creates an autostart registry key pointing to binary in C:\Windows 64->81
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 11:23:15 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
15db7f06895bdf1b299f977b5a513eea85490541fa990b02b5612b31b5a3bf68
BazaLoader
33082f1f702c0919efd47a7c935aa3972c90f7f7419c9aa6c87492f57658d403
BazaLoader
6035d44fa6845d348946b868b93fbb60a43873f731f96ef6e8a54a9b4a73103a
BazaLoader
6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
BazaLoader
7a33388ff7dd7e507fef9fa7ed4e417af518c8a81a9d7bcd910723d16c940e76
BazaLoader
880e2c5548284e08c44028f419a98350fa58e9f758a57f4ddb7b5d6e48fc7eb9
BazaLoader
95347bea5432c09cc216f5db771b956eb78a43139789036af9446139967b1c7f
BazaLoader
b24e47b63ec35e9a420b9fbb64106b2f9e6e8a18676e8c79ff2ca67af06f1291
BazaLoader
b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331
BazaLoader
e192593ff1df7a3d24cc9463fdcde0b39b49a26816da608d50960da3131e2e36
BazaLoader
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211116-ng7e9aaecm/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8
MD5 hash:
d8c91300c099ffa596b67afa8d2a4381
SHA1 hash:
a64a35879de5eb4b26f307d38d5207df984b0f26
Link:
https://www.unpac.me/results/e227e993-29a6-4efa-bec0-ee0c5df43d44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206382/

Comments