MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3
SHA3-384 hash:	a6e49703408b4ec4fcdbb3fb9f91c82897e3fc6179062ae7bfdd55aa1414ff8a0fcb9751dc44adfb8b658b1d835fa0f2
SHA1 hash:	ce6b91d98509b5d2a310019145aee26062b5caa7
MD5 hash:	1762e43d268d786392780e8513365fa5
humanhash:	shade-freddie-saturn-shade
File name:	34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	2'188'712 bytes
First seen:	2020-10-07 05:22:36 UTC
Last seen:	2020-10-07 06:24:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	c0c9e5f1d7067f64c7163decfc80583b (6 x BazaLoader)
ssdeep	49152:SDc0MWVzRykGNJr6UuM8UgD4kw99yTBGPjy:2MWVzRykGriUoU99yTBGPjy
Threatray	110 similar samples on MalwareBazaar
TLSH	17A508836EC74DA6DBE22BBD95E343307334BD51CA9A6F1B7608D1311D63AC1AD86B40
Reporter	JAMESWT_WT
Tags:	BazaLoader GLOBAL PARK HORIZON SP Z O O signed

Code Signing Certificate

Organisation:	DigiCert High Assurance EV Root CA
Issuer:	DigiCert High Assurance EV Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	02AC5C266A0B409B8F0B79F2AE462577
Intelligence:	204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

2

# of downloads :

123

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/68802/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

spyw.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/483725

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Writes to foreign memory regions

Yara detected Keylogger Generic

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3/

Threat name:

Win64.Backdoor.Quakbot

Status:

Malicious

First seen:

2020-10-06 17:11:13 UTC

File Type:

PE+ (Exe)

Extracted files:

4

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

00d718c6e13069d75a8f3d0795664401c28d1fadafbebf6ec8dd5e4181cfbbfa

071a87110c15bb64af2e6d976ed4da8429c3fee4c8872b82475746ea0b26351f

24c6b834189b439a03d248daf49c46418ac362807cb91e291453ef4c88fd30da

2fcb8a7682c524ae07bfb82e2b250cffbbb685b66d56c3b7badec2b85185f9f5

7b9c9f0736204a7435418217a4a2a41b4bfd913a380a132b8f09c21c67d69824

7dd760acef6e4e8852e91cec3c0b1ea1e4a8dc5f7ae43737f0d05714c0f9e1ba

857be4b1c02d814b407db4212b1b46ef4689e943f4eb10c24fef5abbb274a9ff

bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58

f9bd0436e92443e755484de96679dfd4f2849af8b95285f818e283aa700cefad

fc6d7b4be385989d0f80dfc2b9b4d39dc517343fd239e35583fb74aef450f4a3

+ 100 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor discovery

Link:

https://tria.ge/reports/201007-kb862tgwda/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Discovers systems in the same network

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Checks installed software on the system

Looks up external IP address via web service

Blacklisted process makes network request

BazarBackdoor

Unpacked files

SH256 hash:

34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3

MD5 hash:

1762e43d268d786392780e8513365fa5

SHA1 hash:

ce6b91d98509b5d2a310019145aee26062b5caa7

Link:

https://www.unpac.me/results/82cc217c-4fd8-4671-8236-86917b081aa8/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/68802/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample