MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141
SHA3-384 hash: bc42c4221d127cbf13cea62b689974e607d167969aeadf0c0e2bb2c715e3be65a6ef6787106ba10bfa87e912bfd3f4a8
SHA1 hash: d243f7de246d71abfdb5aaa529a0f540ab8306d1
MD5 hash: 8118a6fe28cb8a52a4afed525884d837
humanhash: mike-batman-connecticut-princess
File name:d243f7de246d71abfdb5aaa529a0f540ab8306d1.bin
Download: download sample
Signature BazaLoader
Create hunting rule
File size:144'384 bytes
First seen:2021-07-17 20:35:52 UTC
Last seen:2021-07-17 21:32:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 1536:286OZbT+Ko+QKOefjk8G7iVOJtNkLtLrxsx/aq8ZkqBvVl/+aPV4isiqi2Kbsu+s:286y/QMOfzJ0usoKVRjf4zz
Threatray 50 similar samples on MalwareBazaar
TLSH T12AE38DFCA08505A8DA9A0BFC9E78BDECB4BC18537F10A51D993A72E11F7277DD460502
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d243f7de246d71abfdb5aaa529a0f540ab8306d1.bin
Verdict:
No threats detected
Analysis date:
2021-07-17 20:40:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8ddac556-dc0a-489c-b7d4-e3ec4be14e93

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172369/
Detection(s):
SecuriteInfo.com.Variant.Ulise.259048.21448.2906.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/7eb000e5-6304-401d-a488-b538f0067534
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817866
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450277 Sample: jDZQtPOFTp.bin Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Detected Bazar Loader 2->32 34 Sigma detected: CobaltStrike Load by Rundll32 2->34 36 Sigma detected: Suspicious Svchost Process 2->36 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 15 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        dnsIp5 26 35.165.197.209, 443, 49770 AMAZON-02US United States 11->26 28 192.168.2.1 unknown unknown 11->28 38 System process connects to network (likely due to code injection or exploit) 11->38 40 Sets debug register (to hijack the execution of another thread) 11->40 42 Writes to foreign memory regions 11->42 44 4 other signatures 11->44 19 svchost.exe 14 11->19         started        22 rundll32.exe 15->22         started        signatures6 process7 dnsIp8 24 3.101.57.185, 443, 49773, 49774 AMAZON-02US United States 19->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141/
Threat name:
Win64.Trojan.Ulise
Create hunting rule
Status:
Malicious
First seen:
2021-07-17 20:36:03 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9
BazaLoader
d4f8894bcfb45d9c5185af6978aa7340bdc3373833ff88fc8f2c46364650cc4f
BazaLoader
+ 40 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210717-j6f1jsaltj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141
MD5 hash:
8118a6fe28cb8a52a4afed525884d837
SHA1 hash:
d243f7de246d71abfdb5aaa529a0f540ab8306d1
Link:
https://www.unpac.me/results/1f1f6280-8b94-4a77-9980-0b7346dfc8bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172369/

Comments