MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f
SHA3-384 hash:	f13fbfa8e37c69ffa6caa7d801273e9595e160a7c9c26c661c0c9b71b8be041b9693c3c0372223ab1d81cac3a67a0845
SHA1 hash:	5483e0c77d6542cbe26d0788e2ce5df550903a51
MD5 hash:	179f588e7871e14e7870183ad94784c9
humanhash:	uranus-dakota-leopard-summer
File name:	Report-Review20-10.exe
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	15'906'456 bytes
First seen:	2020-10-20 17:49:08 UTC
Last seen:	2020-10-20 18:59:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d3a2afb703bdefc4273681ac10f9f607 (9 x BazaLoader)
ssdeep	393216:5kUqt/8vHxlVvNJbYmb126bbQlv7gSREXQL+e5sOM:O0RlXJ0mb3Q2Xd
Threatray	199 similar samples on MalwareBazaar
TLSH	76F6BE4277D68909E0A61730DDB382B81677BD519D35870F328CBA1EAFF36815C66B23
Reporter	BFcerdo
Tags:	BazaLoader NOSOV SP Z O O signed

Intelligence

File Origin

# of uploads :

2

# of downloads :

93

Origin country :

n/a

Vendor Threat Intelligence

Detection:

BazaLoader

Link:

https://www.capesandbox.com/analysis/73600/

Detection(s):

SecuriteInfo.com.BackDoor.Bazar.19.4568.10971.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Creating a window

Launching cmd.exe command interpreter

Sending a TCP request to an infection source

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/498597

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f/

Threat name:

Win64.Trojan.Bazaloader

Status:

Malicious

First seen:

2020-10-20 17:51:08 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3

0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789

665fdcff6c010772cfa701050b2bc5c7b008a0e8a73fa3c59e1dde546b78003b

690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611

a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

bad9f0b937bc7a74cd5657127e7d1707ce024ccb5434044ef305dffd4307f29b

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5

d3f27f0ba1900e461e292bf8f62028b60cac902ef71cbe455115d008c0ed27c6

f471cbd53a52d27053c33c4fd18fe2305f94f947d8cc2275c3506fe74c2f11f5

f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf

+ 189 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor

Link:

https://tria.ge/reports/201020-zean28lly2/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blacklisted process makes network request

BazarBackdoor

Unpacked files

SH256 hash:

1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f

MD5 hash:

179f588e7871e14e7870183ad94784c9

SHA1 hash:

5483e0c77d6542cbe26d0788e2ce5df550903a51

Link:

https://www.unpac.me/results/cee0caea-d083-4dab-abad-f8c96dbb8f8b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Bazar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/73600/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample