MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
SHA3-384 hash:	f6ae1c2a0dea61e18da34c473f38364c458393f7dc7c379f4d7209536fff052d47af73ef8639eb33dda11c21e917aa3d
SHA1 hash:	4421fbc98f0f0b87cc2912d668345fd5629d98ea
MD5 hash:	9bca58b356486c17aeb8f157f614acac
humanhash:	bakerloo-lemon-speaker-uncle
File name:	miFrRGoM.dat
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	1'250'824 bytes
First seen:	2021-07-29 16:44:24 UTC
Last seen:	2021-07-29 17:39:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2869cb885758b15d003acb119f131468 (6 x BazaLoader, 3 x CobaltStrike, 1 x IcedID)
ssdeep	12288:6yWeahQ/LWnzkXz5HYrniajhuSlHJzJBlPXXo/6aNdCaBSPZC1XZV72B7:HWeaZzqY7dhBjz/lfo/FIyXv72B7
Threatray	26 similar samples on MalwareBazaar
TLSH	T149455B127CE184FED63AE0344892C3917632BC6563313BD73E5565BA2A75BD23A3E324
Reporter	malware_traffic
Tags:	BazaLoader BazarLoader dll Stolen_Images_Evidence

malware_traffic

Run method: rundll32.exe [filename],StartW

Intelligence

File Origin

# of uploads :

# of downloads :

193

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

miFrRGoM.dat

Verdict:

No threats detected

Analysis date:

2021-07-29 16:46:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9d4cf98c-22c8-4f5c-bd86-19471f1c8dbb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175117/

Detection(s):

SecuriteInfo.com.Trojan.Win.BazarLoader.R434695.22797.5709.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/b629a502-b508-427f-a06b-5d928898884a

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/824024

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Sigma detected: CobaltStrike Load by Rundll32

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196/

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=g4dfwksm3lwcwgrgbm4xhb2gzncysw6w2ueopks6iaj6ssv4mgla._file

Verdict:

malicious

BazaLoader

447a0ab1979dfe2b0d3ebd7082dec8ad9fba6c8a34bef39217fa4f2c6073c5d8

BazaLoader

6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace

BazaLoader

89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d

BazaLoader

a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6

BazaLoader

b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417

BazaLoader

cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570

BazaLoader

f25aca08079e42ada9ce9fbd59639686c7e87be6979943b8a8a555bedbe1a7cf

BazaLoader

f2caffa263687a0901d68e143af25169d67bac91489d6b62faa2727ed5bb49fe

BazaLoader

+ 16 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210729-kpzrjywa7a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE BazaLoader Activity (GET)

suricata: ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)

suricata: ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)

Unpacked files

SH256 hash:

37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196

MD5 hash:

9bca58b356486c17aeb8f157f614acac

SHA1 hash:

4421fbc98f0f0b87cc2912d668345fd5629d98ea

Link:

https://www.unpac.me/results/9d8aad2a-318d-4daf-b778-fd72b5723d82/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175117/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample