MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 1 File information Comments

SHA256 hash:	35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780
SHA3-384 hash:	b03686e2e543a8683a96cfa6c4dd28d159d00856b475268a68cc6b533e985ef7645581f231a72be6e7d9d50774b45924
SHA1 hash:	bddbceefe4185693ef9015d0a535eb7e034b9ec3
MD5 hash:	c6502d4dd27a434167686bfa4d183e89
humanhash:	high-april-paris-johnny
File name:	bddbceefe4185693ef9015d0a535eb7e034b9ec3
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	344'576 bytes
First seen:	2020-12-15 20:25:15 UTC
Last seen:	2020-12-15 21:33:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	db60e0959cfe3991b2f6c66c24b00482 (3 x BazaLoader, 1 x TrickBot)
ssdeep	6144:xgITgAwvbsnWEwqVCA1jxlK11wdkWyloi/DyO:xgr/EwSCA1jXK1im/DyO
Threatray	150 similar samples on MalwareBazaar
TLSH	0974B3C3F054349CF8DF827BB9EA4E25B2E27C5609422A0561713F95BF325825FC8A6D
Reporter	johannes
Tags:	BazaLoader

Intelligence

File Origin

# of uploads :

# of downloads :

182

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Print-Review.exe

Verdict:

Malicious activity

Analysis date:

2020-12-10 16:06:17 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b5719421-cfdb-4344-af31-1207ddd791ae

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108231/

Detection(s):

SecuriteInfo.com.Variant.Johnnie.297322.9126.27448.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Connection attempt to an infection source

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

64 / 100

Link:

https://www.joesandbox.com/analysis/563756

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780/

Threat name:

Win64.Trojan.BazarLoader

Status:

Malicious

First seen:

2020-12-10 17:14:18 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=gvudvrn3zrr6wm6vkkdy2ax7irmccyor5ip7s2nrj2rsmcb6u6aa._file

Verdict:

malicious

BazaLoader

1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631

BazaLoader

1ea7aff75af63e55b05fd2d3015df1a3edfd1fcdad8305e1ff64611d37d97ee4

BazaLoader

2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f

BazaLoader

52e72513fe2a38707aa63fbc52dabd7c7d2c5809ed7e27f384315375426f57bf

BazaLoader

5c59f12280cdfd8303296be2502e5800873fe8dd7aa800bddd18da475f787244

BazaLoader

609fef55693698a2bc7695a4bdc574cfb45b590bde4f4291f8d99bc7f25e266a

BazaLoader

7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55

BazaLoader

bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b

BazaLoader

d41c191058675d5e5280c63aaa04e8eee80401d6887205c47f26723e1de9decb

BazaLoader

+ 140 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/201215-3meshd5bpn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Unpacked files

SH256 hash:

35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780

MD5 hash:

c6502d4dd27a434167686bfa4d183e89

SHA1 hash:

bddbceefe4185693ef9015d0a535eb7e034b9ec3

Link:

https://www.unpac.me/results/69d5ff29-1da9-478a-8ad4-ac48888d1544/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/35683ac5bbcc63eb33d552878d02ff44582161d1ea1ff969b14ea326083ea780

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor

Cape

https://www.capesandbox.com/analysis/108231/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample