MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Conti


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1
SHA3-384 hash: 6ae5c70919b3e08b9d1608b3652072a7a64bd2b761934cd5ee0780d17a5205a6539814d2c6cfa070135a2d3eae789973
SHA1 hash: 5885fed529eb5ad75a5e38e91c201a368053c28d
MD5 hash: b499d236d535cc3029c2211162c0726b
humanhash: nebraska-mountain-artist-twelve
File name:4dfs1dfs.exe
Download: download sample
Signature Conti
Create hunting rule
File size:743'554 bytes
First seen:2021-02-09 18:01:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 026cf4546ef25ed562257a6f87c8e6cf (11 x Conti, 5 x BazaLoader, 1 x TrickBot)
ssdeep 12288:JajFDORvsri3361XTxdd8q815j+eiyESoe3lMjDw4yr0ayxeGMi0ofR:UjFDORvv33uXTxdd8q815j+eiyESoe3c
Threatray 10 similar samples on MalwareBazaar
TLSH 3AF48C23AA11B438F3B640F55AFAA47FA819587153091AF338E7A064F1603E57FF5C62
Reporter Rony
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
211
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
4dfs1dfs.exe
Verdict:
Malicious activity
Analysis date:
2021-02-09 18:01:49 UTC
Tags:
trojan trickbot loader
Link:
https://app.any.run/tasks/c3cc5417-834f-4683-9b42-6a7d5f14e09a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36319031.25667.5103.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
DNS request
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending a custom TCP request
Launching the default Windows debugger (dwwin.exe)
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/603423
Signature
Allocates memory in foreign processes
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1/
Threat name:
Win32.Trojan.Bazarldr
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 07:01:13 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hpcdy6may6borcsqryfji5t7k53phplzvffuzzldbm4splzh7xqq._file
Verdict:
malicious
Similar samples:
1f9285b8391683d7ca32a5cbcea8392d6e0643e21ffefd4bc87ad041bc30916c
Conti
3a6e8f5a226edc006e29e38c48eaa721c12e48953abd56dcbc9b241975631247
Conti
40f84567acadf100bcba7cbe74cb927eb2ec8cc3203c7663a5c05a655fa469a6
Conti
6746b12200fed6aeb1764594c84ecd3485e74114325c150ba41d12c555b182eb
Conti
7bc9d1453bb84033fd82500f10db64cbf221c4286ed3eba7928249dae6d67675
Conti
9a3467911eaf0122aade59ef8636d005f251ef1e6fb23295bdac92376ae0fb82
Conti
cb0373b35abf4b089be60e714ee415d3491ddc2cffcfb45b84a87a3a106c822f
Conti
cb76c19c178a71a5115ee308b51de416255de06d4e8226fdda8e59275a519c14
Conti
dc0715adb07b65af47d660aa7582f9ecdfc770606f1a852fe1aa7a643bba7543
Conti
e7e4c086f54086b129715c584777c2d920a9443a6ba85d4ea5e6d63b8eeb5b9e
Conti
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210209-h1nbntetgj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
BazarBackdoor
Unpacked files
SH256 hash:
793cd94427ec5b5d2d206c1b41cb55a7150c83f12cf86a165b2094bff58ec735
MD5 hash:
ae2fba237175aee3e525d29a0670a0d1
SHA1 hash:
165a9bd22f78066748194ee69935f77cefa232d6
Link:
https://www.unpac.me/results/f2b0b2f1-576e-4c56-8b5e-c5dfdd03a123/
SH256 hash:
3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1
MD5 hash:
b499d236d535cc3029c2211162c0726b
SHA1 hash:
5885fed529eb5ad75a5e38e91c201a368053c28d
Link:
https://www.unpac.me/results/f2b0b2f1-576e-4c56-8b5e-c5dfdd03a123/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Conti
Create hunting rule
Author:kevoreilly
Description:Conti Ransomware

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Conti

Executable exe 3bc43c7980c782e88a508e0a94767f5776f3bd79a94b4ce5630b3927af27fde1

(this sample)

  
X
https://twitter.com/FewAtoms/status/1359179536177520642
  
Delivery method
Distributed via web download

Comments