MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617
SHA3-384 hash: 6ac700f7fc35b63a830dff8e631d6a9619482c192440e62cb21addb5e58f81a479fe9cb4b358ce06eed8a4f740f442d5
SHA1 hash: 0b1a1b7a5a309a350d7b0b9093ff8977d9eb7ca7
MD5 hash: 4bf479d0fcb081c8ab68c41d848d593d
humanhash: hotel-equal-ten-colorado
File name:SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.24728
Download: download sample
Signature BazaLoader
Create hunting rule
File size:281'600 bytes
First seen:2021-03-31 21:35:27 UTC
Last seen:2021-04-01 02:48:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 41191cafd0feffb1714fd31f94d3bb0b (1 x BazaLoader)
ssdeep 6144:rYJXV3YFVBEZ4Th/A4ijWnT+oc1kawEyHdsOyiQDUkpAL2vU7:gXmQ4ThVT+F7wNyj9AL2G
Threatray 129 similar samples on MalwareBazaar
TLSH B054E049E2B00DE4EEB74A3CC8B81659E5353811A760DE4F632422560F676E1ED3DFB8
Reporter SecuriteInfoCom
Tags:BazaLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.24728
Verdict:
No threats detected
Analysis date:
2021-03-31 21:43:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56cb8d32-c946-4bec-bab0-ad3cd4dbd98a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/130215/
Detection(s):
SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.24728.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/661013
Signature
Creates multiple autostart registry keys
Detected Bazar Loader
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 379441 Sample: SecuriteInfo.com.RiskTool.W... Startdate: 31/03/2021 Architecture: WINDOWS Score: 80 73 bcfhikblhhin.bazar 2->73 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 Multi AV Scanner detection for submitted file 2->89 91 Detected Bazar Loader 2->91 13 SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.exe 1 2->13         started        15 cmd.exe 1 2->15         started        18 cmd.exe 1 2->18         started        signatures3 process4 signatures5 20 cmd.exe 1 13->20         started        24 conhost.exe 13->24         started        105 Uses cmd line tools excessively to alter registry or file data 15->105 26 reg.exe 1 1 15->26         started        28 HV02066.exe 1 15->28         started        30 conhost.exe 15->30         started        32 conhost.exe 18->32         started        34 reg.exe 1 18->34         started        process6 dnsIp7 75 8.8.7.7 GOOGLEUS United States 20->75 93 Uses ping.exe to sleep 20->93 95 Uses cmd line tools excessively to alter registry or file data 20->95 97 Uses ping.exe to check the status of other devices and networks 20->97 36 SecuriteInfo.com.RiskTool.Win32.BitCoinMiner.vho.31244.exe 2 20->36         started        39 conhost.exe 20->39         started        41 PING.EXE 1 20->41         started        99 Creates multiple autostart registry keys 26->99 43 conhost.exe 28->43         started        signatures8 process9 file10 71 C:\Users\user\AppData\Local\...\HV02066.exe, PE32+ 36->71 dropped 45 cmd.exe 1 36->45         started        48 conhost.exe 36->48         started        process11 signatures12 103 Uses ping.exe to sleep 45->103 50 HV02066.exe 1 1 45->50         started        53 conhost.exe 45->53         started        55 PING.EXE 1 45->55         started        process13 signatures14 83 Detected Bazar Loader 50->83 85 Creates multiple autostart registry keys 50->85 57 cmd.exe 1 50->57         started        60 conhost.exe 50->60         started        process15 signatures16 101 Uses ping.exe to sleep 57->101 62 HV02066.exe 1 57->62         started        65 conhost.exe 57->65         started        67 PING.EXE 1 57->67         started        process17 dnsIp18 77 18.216.19.153, 443, 49724 AMAZON-02US United States 62->77 79 18.223.206.249, 443, 49722 AMAZON-02US United States 62->79 81 9 other IPs or domains 62->81 69 conhost.exe 62->69         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-03-31 20:31:40 UTC
AV detection:
2 of 29 (6.90%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dg7edpz7sv35xcaldfubnixr6624wb56wla65ah7qe6tbueicylq._file
Verdict:
malicious
Similar samples:
3483f717d6c9b903413aa6e1a66f771db14ff7563c4d81ec5b761f50aeea0ea2
BazaLoader
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazaLoader
624a74c9469e95f404baebd07a8c563baa38e752d391bca5e8894dbc87186388
BazaLoader
8a0fbcde56a9a817c10b0fe5ae281f75385c2a28ca271d736484e689c104e96c
BazaLoader
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc
BazaLoader
c8768444c9e489989a6610537ecb1bc204216e0b0880079e6d9e561e56dc60a8
BazaLoader
da64fd26d75960fad54e08303b805dfe4e050c5faea0737ed56cfc6d05af6b88
BazaLoader
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazaLoader
e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
BazaLoader
fbcb04303844d9183f1fb53081fefeb9794eb011c9d0adb855407d6e22fde857
BazaLoader
+ 119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210331-41s6qdpd9a/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617
MD5 hash:
4bf479d0fcb081c8ab68c41d848d593d
SHA1 hash:
0b1a1b7a5a309a350d7b0b9093ff8977d9eb7ca7
Link:
https://www.unpac.me/results/40b3a706-57dc-4e28-b481-353641462d27/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1100494/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/130215/

Comments