MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba
SHA3-384 hash:	cac77cd634192c069aa0c3f4eda2774d62155c46c7280997c1d882344bd120dc0940bc128a0fada2bd2129ec3e5e6019
SHA1 hash:	9ee199674aee9af42dfff4ca68fc7082c2cff69b
MD5 hash:	a25453ffec9582f897358af9323d6f02
humanhash:	sink-neptune-wisconsin-georgia
File name:	Report-Review20-10.exe
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	15'906'456 bytes
First seen:	2020-10-20 18:14:25 UTC
Last seen:	2020-10-20 18:59:36 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d3a2afb703bdefc4273681ac10f9f607 (9 x BazaLoader)
ssdeep	393216:NkUqt/8vHxlVvNJbYmb126bbQlv7gSREXQL+e5sOF:i0RlXJ0mb3Q2XA
Threatray	89 similar samples on MalwareBazaar
TLSH	6BF6BE4277D68909E0A61730DDB382B81677BD519D35870F328CBA1EAFF36815C66B23
Reporter	BFcerdo
Tags:	BazaLoader NOSOV SP Z O O signed

Intelligence

File Origin

# of uploads :

2

# of downloads :

105

Origin country :

n/a

Vendor Threat Intelligence

Detection:

BazaLoader

Link:

https://www.capesandbox.com/analysis/73608/

Detection(s):

SecuriteInfo.com.BackDoor.Bazar.19.24463.19100.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Launching cmd.exe command interpreter

Sending a TCP request to an infection source

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/498603

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Sample uses process hollowing technique

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba/

Threat name:

Win64.Trojan.Bazaloader

Status:

Malicious

First seen:

2020-10-20 18:16:07 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3

1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f

690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611

a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5

c81fe7326d72e662a185c7bccb19bd31481ffdf53ef0fb1019027d9d16e5a9d9

d3f27f0ba1900e461e292bf8f62028b60cac902ef71cbe455115d008c0ed27c6

f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de

f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf

f8d69d5df025089474bfef71b5fb42c0e11bfcbb1d2dd915c474b11b74c0504b

+ 79 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor

Link:

https://tria.ge/reports/201020-766x5s9bhe/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blacklisted process makes network request

BazarBackdoor

Unpacked files

SH256 hash:

3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba

MD5 hash:

a25453ffec9582f897358af9323d6f02

SHA1 hash:

9ee199674aee9af42dfff4ca68fc7082c2cff69b

Link:

https://www.unpac.me/results/260c0240-b36f-4410-94ad-48ba328dc605/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Bazar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/73608/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample