MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748
SHA3-384 hash: 944da35cd7c122f32fb3057e722b4defe38e1ec95474aa664637d724d29cd645e5fd930b08d1fe4d348608fe4dc001c3
SHA1 hash: 62402ee5c89da36672dd136c822b431c58a6f0c7
MD5 hash: 36f95f7e28e486ef9f48990e23a71ab0
humanhash: fix-berlin-fix-ack
File name:36f95f7e_by_Libranalysis
Download: download sample
Signature BazaLoader
Create hunting rule
File size:469'504 bytes
First seen:2021-05-20 02:01:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2c26945461063bcf28bd8f2f9fe738d8 (1 x BazaLoader)
ssdeep 6144:VWPBdyiB1WUoV79AZ6pmJHQpJrsGWoyidHoL5t:VWZQCyqJwNW3ido
Threatray 48 similar samples on MalwareBazaar
TLSH 68A45DFEB38205A4C8E9C977D3134B15F136BB9512097E662EDC42B52C3506F122EF2A
Reporter Libranalysis
Tags:BazaLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
36f95f7e_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-20 02:45:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/7b168eae-c68f-45e1-8ed0-51c953d3e216

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/159287/
Detection(s):
SecuriteInfo.com.Trojan.Downloader.11810.28842.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending a custom TCP request
Sending a UDP request
Launching a process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/785629
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eutnrgoeiaozhnw5xii6m7tvhguuel4ssyc7k6cutjbkcyrqg5ea._file
Verdict:
malicious
Similar samples:
1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d
BazaLoader
2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6
BazaLoader
5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341
BazaLoader
6c499f0fb04581d0b02d532cec44b9f39c571ac5d4ae7f0b4bff6957a5bab329
BazaLoader
726446fc55650c11f0b38966a30de5b2d0e10805f23cf22f0c13969e2fe2914a
BazaLoader
c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
d22f536d4d6cc001271855f4467af0bbc656801e1ffa34a8acd905db56cebae0
BazaLoader
f0548ac778c8bcea06c577a13e7b0856b73838715c2fab1b1e83096e2333f82f
BazaLoader
f554be4d3d5b1f05f69038bbe54acb8e92ae5b0e45368e2108ecfde515dc8d9f
BazaLoader
+ 38 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210520-v1zz1elgze/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/159287/
  
URLhaus
https://urlhaus.abuse.ch/url/1257718/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1257747/
  
URLhaus
https://urlhaus.abuse.ch/url/1257855/
  
URLhaus
https://urlhaus.abuse.ch/url/1258879/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 03:04:50 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [B0030.002] Command and Control::Receive Data
2) [B0030.001] Command and Control::Send Data
3) [C0011.001] Communication Micro-objective::Resolve::DNS Communication
4) [C0001.009] Communication Micro-objective::Initialize Winsock Library::Socket Communication
5) [C0001.006] Communication Micro-objective::Receive Data::Socket Communication
6) [C0001.007] Communication Micro-objective::Send Data::Socket Communication
7) [C0001.001] Communication Micro-objective::Set Socket Config::Socket Communication
8) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
9) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
10) [C0052] File System Micro-objective::Writes File
11) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
12) [C0040] Process Micro-objective::Allocate Thread Local Storage
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process