MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f
SHA3-384 hash: 62f0b4a6634aaea709a9f3550ac67f4da54bc85bf71dd3331775064f75d1b348f4f1ba3af9af3adab39836ffb7369780
SHA1 hash: 1e2cd7d64c7173de342fae824b1bddb61bee4770
MD5 hash: 97ec93d30f45f24c0cdaf37f63a40901
humanhash: batman-illinois-rugby-carolina
File name:Attachments_3.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:268'288 bytes
First seen:2021-11-16 11:22:33 UTC
Last seen:2021-11-16 12:36:46 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e9b9dc9a1d7fc9680151ec542607c93 (6 x BazaLoader)
ssdeep 3072:pXWFeMwzVAuz3GHu+3O5NYcqMNYLjSiGtj2YemV4zles4TZ4My9ZRTYKBToSrU9L:p06Ljjz5BbtXZV4zos4NsxpRzox
Threatray 28 similar samples on MalwareBazaar
TLSH T1CB44C027B3A40CBBE5664679C9A31A56E771BC550720EBEF03A4036A1F237D15C3AF21
Reporter JAMESWT_WT
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/206381/
Detection(s):
SecuriteInfo.com.W64.Sdum.J.genEldorado.15651.31051.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware monero
Link:
https://www.filescan.io/uploads/6193949a43e8f62b6695380e/reports/42e95958-6d59-4251-880d-65c02d284fe2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66b4f1c1-e028-4ec5-86ff-301171005995
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/890306
Signature
Multi AV Scanner detection for submitted file
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 522779 Sample: Attachments_3.dll Startdate: 16/11/2021 Architecture: WINDOWS Score: 68 64 192.0.2.46 unknown Reserved 2->64 66 162.33.179.201, 443, 49791 CORENETUS United States 2->66 70 Multi AV Scanner detection for submitted file 2->70 72 Sigma detected: UNC2452 Process Creation Patterns 2->72 11 loaddll64.exe 1 2->11         started        signatures3 process4 process5 13 cmd.exe 1 11->13         started        16 rundll32.exe 11->16         started        18 rundll32.exe 11->18         started        20 6 other processes 11->20 signatures6 76 Uses ping.exe to sleep 13->76 78 Uses cmd line tools excessively to alter registry or file data 13->78 80 Uses ping.exe to check the status of other devices and networks 13->80 22 rundll32.exe 13->22         started        24 cmd.exe 1 16->24         started        27 cmd.exe 1 18->27         started        29 cmd.exe 1 20->29         started        process7 signatures8 74 Uses ping.exe to sleep 24->74 31 PING.EXE 1 24->31         started        34 rundll32.exe 24->34         started        36 conhost.exe 24->36         started        38 rundll32.exe 27->38         started        40 conhost.exe 27->40         started        42 choice.exe 1 27->42         started        44 rundll32.exe 29->44         started        46 conhost.exe 29->46         started        48 choice.exe 1 29->48         started        process9 dnsIp10 68 192.0.2.40 unknown Reserved 31->68 50 cmd.exe 34->50         started        52 cmd.exe 1 34->52         started        process11 process12 54 conhost.exe 50->54         started        56 choice.exe 50->56         started        58 rundll32.exe 50->58         started        60 conhost.exe 52->60         started        62 reg.exe 52->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f/
Threat name:
Win64.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-11-16 11:23:15 UTC
AV detection:
18 of 28 (64.29%)
Threat level:
  1/5
Verdict:
unknown
Similar samples:
100ab1a8d68493c43a477aa54948803f96a31b4c7854840a505de009d6c360a8
BazaLoader
33082f1f702c0919efd47a7c935aa3972c90f7f7419c9aa6c87492f57658d403
BazaLoader
6035d44fa6845d348946b868b93fbb60a43873f731f96ef6e8a54a9b4a73103a
BazaLoader
6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
BazaLoader
7a33388ff7dd7e507fef9fa7ed4e417af518c8a81a9d7bcd910723d16c940e76
BazaLoader
880e2c5548284e08c44028f419a98350fa58e9f758a57f4ddb7b5d6e48fc7eb9
BazaLoader
95347bea5432c09cc216f5db771b956eb78a43139789036af9446139967b1c7f
BazaLoader
b24e47b63ec35e9a420b9fbb64106b2f9e6e8a18676e8c79ff2ca67af06f1291
BazaLoader
b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331
BazaLoader
e192593ff1df7a3d24cc9463fdcde0b39b49a26816da608d50960da3131e2e36
BazaLoader
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/211116-ng7e9aaecl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Unpacked files
SH256 hash:
2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f
MD5 hash:
97ec93d30f45f24c0cdaf37f63a40901
SHA1 hash:
1e2cd7d64c7173de342fae824b1bddb61bee4770
Link:
https://www.unpac.me/results/fed15d05-5631-4d36-a1be-7fa10b95943d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2a2b204b3d8df0388dd42a8fa5b7e9652f262c15b92de6ff13fec8778a6aac3f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:BitcoinAddress
Create hunting rule
Author:Didier Stevens (@DidierStevens)
Description:Contains a valid Bitcoin address

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/206381/

Comments