MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8
SHA3-384 hash: 2cf7e08ce0f5ba893879e59abfb475522215fcbf6ea4943b992c381b13d5c78f6b962f2b4bdffbb9534465fc7298454f
SHA1 hash: ea43b8d17588710f01ce79c07cb7d79433d3623a
MD5 hash: 60a361ce5f18ad041ca2b1f668828219
humanhash: tennis-utah-grey-bulldog
File name:60a361ce5f18ad041ca2b1f668828219.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:289'415 bytes
First seen:2021-10-13 17:45:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f2aa966974790b641bc88c5a5bd46a40 (2 x BazaLoader)
ssdeep 6144:VWvccklaZIIq3+Q4gdD3iD9Rd3YdFT/od3kQM:VIcZao3+Qr4zMFTwXM
Threatray 31 similar samples on MalwareBazaar
TLSH T138546DB6F2912DA6EAD1C879C216B1B4F28368373765E1D0B5A706D3102D4E4CEB6F13
Reporter abuse_ch
Tags:BazaLoader BazarBackdoor BazarLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
292
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
60a361ce5f18ad041ca2b1f668828219.dll
Verdict:
No threats detected
Analysis date:
2021-10-13 18:12:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d194d0f1-7ffc-4937-8973-4e37409729ad

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197334/
Detection(s):
SecuriteInfo.com.Artemis60A361CE5F18.14589.2970.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/61671b5b1c2d58ba74051466/reports/cc70ac29-89cd-43e7-a6d0-2ff4b64d96fd/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/251dd2e3-0b2b-4337-9340-dd4a5f729ca1
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/869955
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502388 Sample: zq8o6y1z60.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 100 73 Multi AV Scanner detection for submitted file 2->73 75 Detected Bazar Loader 2->75 77 Sigma detected: Dridex Process Pattern 2->77 79 Sigma detected: Suspicious Svchost Process 2->79 9 loaddll64.exe 1 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 regsvr32.exe 19 9->13         started        17 iexplore.exe 1 73 9->17         started        19 cmd.exe 1 9->19         started        21 2 other processes 9->21 dnsIp5 67 161.35.66.76, 443, 49898 DIGITALOCEAN-ASNUS United States 13->67 69 www-amazon-com.customer.fastly.net 162.219.225.118, 443, 49909, 49919 ALLO-COMMUS United States 13->69 71 7 other IPs or domains 13->71 89 System process connects to network (likely due to code injection or exploit) 13->89 91 Contains functionality to inject code into remote processes 13->91 93 Sets debug register (to hijack the execution of another thread) 13->93 95 5 other signatures 13->95 23 svchost.exe 13->23         started        27 iexplore.exe 2 154 17->27         started        29 rundll32.exe 19->29         started        signatures6 process7 dnsIp8 55 www-amazon-com.customer.fastly.net 23->55 57 87.248.100.216, 443, 49949, 49959 YAHOO-IRDGB United Kingdom 23->57 63 11 other IPs or domains 23->63 81 System process connects to network (likely due to code injection or exploit) 23->81 83 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->85 87 Performs a network lookup / discovery via net view 23->87 31 net.exe 23->31         started        33 net.exe 23->33         started        35 net.exe 23->35         started        37 2 other processes 23->37 59 ssp.ads.betweendigital.com 88.212.252.22, 443, 49836, 49837 SERVERS-COMUS Russian Federation 27->59 61 dart.l.doubleclick.net 142.250.185.70, 443, 49855, 49856 GOOGLEUS United States 27->61 65 25 other IPs or domains 27->65 signatures9 process10 process11 39 conhost.exe 31->39         started        41 net1.exe 31->41         started        43 conhost.exe 33->43         started        45 net1.exe 33->45         started        47 conhost.exe 35->47         started        49 net1.exe 35->49         started        51 conhost.exe 37->51         started        53 conhost.exe 37->53         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=d4jwkiwmftpkspraq2vgpkyhcav4557ddmqbjcnug4dzq2bewp4a._file
Verdict:
unknown
Similar samples:
542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12
BazaLoader
62e646b44c307979e5385208bf0c698a08f8db0b9bdb839815b8bcd5ed9e3a38
BazaLoader
74cf2e1f4dce793dc8bc01b3d1691e102c08bb15a3c65bb5c06a48baba0e1fb5
BazaLoader
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
BazaLoader
8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4
BazaLoader
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
BazaLoader
fb46649e51c1b2fc47d3bc0a129563c7bcb6f7e5353d46e0a0bd2f1205d675b9
BazaLoader
+ 21 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211013-wcavgsefdp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8
MD5 hash:
60a361ce5f18ad041ca2b1f668828219
SHA1 hash:
ea43b8d17588710f01ce79c07cb7d79433d3623a
Link:
https://www.unpac.me/results/cee1d0aa-cca9-4647-b6de-04993f825905/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/1f136522cc2c/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1674441/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197334/

Comments