MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22e899eddfcdd250f184f10d71b117c2b6a1625847ba5c46c39ee6245afc1ef2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22e899eddfcdd250f184f10d71b117c2b6a1625847ba5c46c39ee6245afc1ef2
SHA3-384 hash: 59ee001ba92a5e9180a570d9e3bce7781ed1a80999f0761ccd56e2d97c7ef6e7d16bfa446b517dc87c0f7fc8d63e4e5b
SHA1 hash: 0454d41b7bb44b735a5f55913fdd981d18886ff0
MD5 hash: 0301adf4281ae21a9c6628877c094dc7
humanhash: cup-nineteen-skylark-stream
File name:0301adf4281ae21a9c6628877c094dc7.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:250'368 bytes
First seen:2021-11-16 20:38:25 UTC
Last seen:2021-11-16 23:02:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2593a475dbf7eb3342d2354aee69d8a (2 x BazaLoader)
ssdeep 3072:tF8o3Q6r6eeLOVtfZ4v7QoKwIPWt2P7HM+zB5l3ERtQ2hG16k6Bk7v11poplx239:thdILOVwSTzB4RSMGwbBo7oNBizUhXn
Threatray 30 similar samples on MalwareBazaar
TLSH T12234DF4BB7F51CAFD57A863988634A45D772B8414720EEAF07A4469A1F233D18C3EF60
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
133
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206632/
Detection(s):
SecuriteInfo.com.Variant.Midie.103616.13518.22960.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware monero
Link:
https://www.filescan.io/uploads/619416e82695a62af9f18cb8/reports/39fbd4f7-52be-4eb0-b0a3-618d49fd3739/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a87e45c4-a299-4718-aa22-16612bd72998
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/890721
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Multi AV Scanner detection for submitted file
Sigma detected: UNC2452 Process Creation Patterns
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 523194 Sample: mhWoOUGD36.dll Startdate: 16/11/2021 Architecture: WINDOWS Score: 68 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: UNC2452 Process Creation Patterns 2->56 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        18 cmd.exe 1 10->18         started        21 rundll32.exe 10->21         started        23 6 other processes 10->23 signatures5 25 cmd.exe 1 16->25         started        58 Uses ping.exe to sleep 18->58 60 Uses ping.exe to check the status of other devices and networks 18->60 27 rundll32.exe 18->27         started        process6 process7 29 rundll32.exe 25->29         started        31 conhost.exe 25->31         started        33 choice.exe 1 25->33         started        process8 35 cmd.exe 1 29->35         started        38 cmd.exe 1 29->38         started        signatures9 62 Uses ping.exe to sleep 35->62 40 PING.EXE 1 35->40         started        43 conhost.exe 35->43         started        45 rundll32.exe 35->45         started        47 reg.exe 1 1 38->47         started        50 conhost.exe 38->50         started        process10 dnsIp11 52 192.0.2.18 unknown Reserved 40->52 64 Creates an autostart registry key pointing to binary in C:\Windows 47->64 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22e899eddfcdd250f184f10d71b117c2b6a1625847ba5c46c39ee6245afc1ef2/
Threat name:
Win64.Trojan.Midie
Create hunting rule
Status:
Malicious
First seen:
2021-11-16 11:28:05 UTC
AV detection:
16 of 28 (57.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8
BazaLoader
2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f
BazaLoader
33082f1f702c0919efd47a7c935aa3972c90f7f7419c9aa6c87492f57658d403
BazaLoader
6035d44fa6845d348946b868b93fbb60a43873f731f96ef6e8a54a9b4a73103a
BazaLoader
69c6638c277af7f94f34c6f1ea1cee9d7cf5ee7a1e8ef0d2df527f8d6a529f5f
BazaLoader
6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
BazaLoader
880e2c5548284e08c44028f419a98350fa58e9f758a57f4ddb7b5d6e48fc7eb9
BazaLoader
95347bea5432c09cc216f5db771b956eb78a43139789036af9446139967b1c7f
BazaLoader
b24e47b63ec35e9a420b9fbb64106b2f9e6e8a18676e8c79ff2ca67af06f1291
BazaLoader
e192593ff1df7a3d24cc9463fdcde0b39b49a26816da608d50960da3131e2e36
BazaLoader
+ 20 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211116-ze99xafdf2/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
22e899eddfcdd250f184f10d71b117c2b6a1625847ba5c46c39ee6245afc1ef2
MD5 hash:
0301adf4281ae21a9c6628877c094dc7
SHA1 hash:
0454d41b7bb44b735a5f55913fdd981d18886ff0
Link:
https://www.unpac.me/results/ec782cff-204e-42b5-af66-3d52e9441e36/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22e899eddfcdd250f184f10d71b117c2b6a1625847ba5c46c39ee6245afc1ef2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206632/

Comments