MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8
SHA3-384 hash: 0fb331d1eb0f0ea8af42e31241a3c0924043c2f351b970988f8da16aa67879d0ae71ba81a48f941b5b99b355580b1f9f
SHA1 hash: 7028eced8d69c6f7cd2645bb9665a5d91e62f550
MD5 hash: 2af60f6d125e1f344347aaf9121fcb77
humanhash: magazine-speaker-venus-low
File name:1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:452'105 bytes
First seen:2021-09-16 15:30:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 0aec37646f65af517fda3b7a8bc197ea (1 x BazaLoader)
ssdeep 12288:mcpxzP/JHHvW9qyM4jrZ+CSK/eAvneFNAKkGD771bck:YKBpCKkGj1Yk
Threatray 6 similar samples on MalwareBazaar
TLSH T178A47D6FA1911247FEB14C78CED9A2A6C9C3763D8E7EE5F3AD50D13038285A0DD5A213
Reporter N3utralZ0ne
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8.dll
Verdict:
No threats detected
Analysis date:
2021-09-16 15:35:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ca033a9-8b5f-4cc1-bfdb-22f9cb161de2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/188476/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending a UDP request
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/61752437db358dd15ed9290e/reports/7f407815-ae70-4151-9254-0f4b3e689bd0/overview
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/aeeaf590-d682-4bb4-9aba-12ee47cdf1bd
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/852206
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 484633 Sample: Pk1i5t2XLG.dll Startdate: 16/09/2021 Architecture: WINDOWS Score: 92 62 Detected Bazar Loader 2->62 64 Sigma detected: CobaltStrike Load by Rundll32 2->64 66 Sigma detected: Suspicious Svchost Process 2->66 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        process3 process4 14 cmd.exe 1 8->14         started        16 rundll32.exe 8->16         started        19 iexplore.exe 2 85 8->19         started        22 5 other processes 8->22 dnsIp5 24 rundll32.exe 14 14->24         started        52 System process connects to network (likely due to code injection or exploit) 16->52 54 Allocates memory in foreign processes 16->54 56 Modifies the context of a thread in another process (thread injection) 16->56 58 2 other signatures 16->58 28 svchost.exe 16->28         started        42 192.168.2.1 unknown unknown 19->42 30 iexplore.exe 5 146 19->30         started        signatures6 process7 dnsIp8 44 94.140.115.104, 443, 49791, 49836 NANO-ASLV Latvia 24->44 68 Sets debug register (to hijack the execution of another thread) 24->68 70 Writes to foreign memory regions 24->70 72 Allocates memory in foreign processes 24->72 74 3 other signatures 24->74 32 svchost.exe 24->32         started        46 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49825, 49826 YAHOO-DEBDE United Kingdom 30->46 48 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49822, 49823 FASTLYUS United States 30->48 50 11 other IPs or domains 30->50 signatures9 process10 dnsIp11 36 api.opennicproject.org 32->36 38 45.14.226.182, 443, 49845, 49851 SPECTRAIPSpectraIPBVNL Netherlands 32->38 40 3 other IPs or domains 32->40 60 System process connects to network (likely due to code injection or exploit) 32->60 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-09-16 15:31:05 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
af98c1743907c9a1429a6f01446bab875cbd273935b4ecfcd1f1b4db430a8ece
BazaLoader
b3783552bf95bc8b30a28c8d590a5081193fd6a690403dfb400c240237c8c956
BazaLoader
bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210916-sx2l6agefr/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8
MD5 hash:
2af60f6d125e1f344347aaf9121fcb77
SHA1 hash:
7028eced8d69c6f7cd2645bb9665a5d91e62f550
Link:
https://www.unpac.me/results/d98ce39d-94e2-4280-8797-55ef5f061458/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1a6cb237a384/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188476/

Comments