MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57
SHA3-384 hash: b96fb33684da6eca2aaa0cda1ea7a64f073fbcce0c0534e8df8a389a61379a6b99998d2c6e02d0427793d294db00a6d7
SHA1 hash: a243489cca5453ade36fc84ac63e2cc6f16c6c50
MD5 hash: 1060c35becbfe7c86c9f8b8fd321395e
humanhash: butter-undress-alaska-sierra
File name:1060c35becbfe7c86c9f8b8fd321395e.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:352'244 bytes
First seen:2021-02-11 08:00:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash b4fde864c45f66c378efc2bedd98550f (17 x BazaLoader)
ssdeep 6144:Co3pwmXC25RIyX4db7SvNJnxPGpvSiySa:Cdmy2X4da
Threatray 17 similar samples on MalwareBazaar
TLSH 92747A1BB3E438FCE066D63098E04205EBB1743157759FAF03A882952F936A1AD7DB35
Reporter abuse_ch
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1060c35becbfe7c86c9f8b8fd321395e.exe
Verdict:
No threats detected
Analysis date:
2021-02-11 08:04:33 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b39b6c14-53a3-4bba-b228-40529052826f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116695/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

SecuriteInfo.com.Artemis018048AA9219.28755.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/605458
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 351764 Sample: wYaTYi6Pye.exe Startdate: 11/02/2021 Architecture: WINDOWS Score: 92 83 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->83 85 Uses ping.exe to sleep 2->85 87 Uses ping.exe to check the status of other devices and networks 2->87 89 Sigma detected: Suspicious Svchost Process 2->89 11 wYaTYi6Pye.exe 2->11         started        13 qigwpcdca.exe 2->13         started        15 qigwpcdca.exe 2->15         started        process3 process4 17 cmd.exe 1 11->17         started        dnsIp5 77 127.0.0.1 unknown unknown 17->77 91 Uses ping.exe to sleep 17->91 21 wYaTYi6Pye.exe 3 17->21         started        24 conhost.exe 17->24         started        26 conhost.exe 17->26         started        28 2 other processes 17->28 signatures6 process7 file8 73 C:\Users\user\AppData\Local\...\qigwpcdca.exe, PE32+ 21->73 dropped 75 C:\Users\...\qigwpcdca.exe:Zone.Identifier, ASCII 21->75 dropped 30 cmd.exe 1 21->30         started        33 cmd.exe 1 21->33         started        35 cmd.exe 1 21->35         started        process9 signatures10 103 Uses ping.exe to sleep 30->103 37 qigwpcdca.exe 14 30->37         started        41 conhost.exe 30->41         started        43 PING.EXE 1 30->43         started        105 Uses cmd line tools excessively to alter registry or file data 33->105 45 conhost.exe 33->45         started        47 reg.exe 1 1 33->47         started        49 conhost.exe 35->49         started        process11 dnsIp12 79 52.37.89.225, 443, 49730, 49736 AMAZON-02US United States 37->79 95 Hijacks the control flow in another process 37->95 97 Contains functionality to inject code into remote processes 37->97 99 Writes to foreign memory regions 37->99 101 4 other signatures 37->101 51 cmd.exe 1 37->51         started        54 cmd.exe 1 37->54         started        56 cmd.exe 1 37->56         started        58 2 other processes 37->58 signatures13 process14 dnsIp15 93 Uses cmd line tools excessively to alter registry or file data 51->93 61 conhost.exe 51->61         started        63 reg.exe 1 51->63         started        65 conhost.exe 54->65         started        67 reg.exe 1 1 54->67         started        69 conhost.exe 56->69         started        71 reg.exe 1 1 56->71         started        81 18.144.72.228, 443, 49739, 49748 AMAZON-02US United States 58->81 signatures16 process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57/
Threat name:
Win64.Trojan.Bazarldr
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 09:09:15 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cl4a2kdfz5rbvaqjkzxlz4p24ixpztjslqjvwowwtq3qenrr5jlq._file
Verdict:
unknown
Similar samples:
375cb8f99ca2f56c79bf1e632ef30b4bfd20866ca47c028688bab9fa20c69320
BazaLoader
4236b73b4d534c01917573a4d38685849d79bbe24e24c9af8b54ab9092eba676
BazaLoader
502985c35a5b440dfc18d5dc12e524726567311ebabe35cddde961acbe718cbb
BazaLoader
5779383242bc52dd737295a5f802288cb19bb3d44a8f85c3c0a806c99d6e215d
BazaLoader
5cb9b33ca105d1f74a81fc104a8f6054c8db69f5c20091de74f877a75deceea6
BazaLoader
63b65aa8b297247365df8d10efb7e3645ccb561b74c78690db76905a584b2c26
BazaLoader
6952aba3f7389eb46d846304058bdca5347d6609f9cca947b0df9b3776b8f3ce
BazaLoader
951d92a848709c99656328efbc427caca665727b51e455776f67fa3cbab37c94
BazaLoader
c08a401fb0b853564f7d0f633202444b4096071b252f78c822579b1e4da4f3d0
BazaLoader
cefdcb4e5cac9b1bb183f667b39deac6bffa0337e61e4e0a323f712f168accc6
BazaLoader
+ 7 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210211-4w5dt64r72/
Behaviour
Modifies registry key
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57
MD5 hash:
1060c35becbfe7c86c9f8b8fd321395e
SHA1 hash:
a243489cca5453ade36fc84ac63e2cc6f16c6c50
Link:
https://www.unpac.me/results/2a763609-0cdd-40b8-a570-3616d0dd694f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/999500/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/116695/

Comments