MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b
SHA3-384 hash: e45b1738ab267f8606860ef3e17e5aceec733acd00b140f5d392800db98fea3428364028fd674e00aa9f47a3da4aa7ee
SHA1 hash: 2797fa0bcb834e4d52c068d266ada43f315ca59e
MD5 hash: d2749c21fa8671e75cd147380ff110e0
humanhash: papa-network-double-fifteen
File name:d2749c21fa8671e75cd147380ff110e0
Download: download sample
Signature BazaLoader
Create hunting rule
File size:376'320 bytes
First seen:2021-04-01 17:43:23 UTC
Last seen:2021-04-01 20:51:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2de0725e4eedc6f70b07cc6f3c2e3b4e (1 x BazaLoader)
ssdeep 6144:BABatTx4LuLbY0xtTZrLRcBDrh15kk5XvI9eNtlhzQKOR64sWkxfkEW5sX2Lg:qc4utt95cBX8ejWT9kvW5s
Threatray 116 similar samples on MalwareBazaar
TLSH 8F84E14792A631E8E1A29A3590641D0CD771FC352725DF6F474832D1AF776A08E3EF22
Reporter Cryptolaemus1
Tags:BazaLoader BazarCall BazarLoader exe openfield

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d2749c21fa8671e75cd147380ff110e0
Verdict:
No threats detected
Analysis date:
2021-04-01 18:15:01 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/29f07fa6-39f4-46df-8c7c-cdb8ea15e831

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/131478/
Detection(s):
SecuriteInfo.com.Program.Win32.Wacapew.Cml.11989.21933.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/662602
Signature
Creates multiple autostart registry keys
Detected Bazar Loader
Detected unpacking (creates a PE file in dynamic memory)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to resolve many domain names, but no domain seems valid
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 380232 Sample: Ei8IYTWG2j Startdate: 01/04/2021 Architecture: WINDOWS Score: 84 84 eefijkemhijn.bazar 2->84 86 ecfgkkekhgkn.bazar 2->86 88 26 other IPs or domains 2->88 103 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->103 13 Ei8IYTWG2j.exe 1 2->13         started        16 cmd.exe 1 2->16         started        18 cmd.exe 1 2->18         started        20 2 other processes 2->20 signatures3 105 Detected Bazar Loader 86->105 107 Tries to resolve many domain names, but no domain seems valid 86->107 process4 signatures5 129 Detected unpacking (creates a PE file in dynamic memory) 13->129 22 cmd.exe 1 13->22         started        26 conhost.exe 13->26         started        131 Uses cmd line tools excessively to alter registry or file data 16->131 28 PMQFF87.exe 1 16->28         started        30 conhost.exe 16->30         started        32 reg.exe 1 16->32         started        34 conhost.exe 20->34         started        36 conhost.exe 20->36         started        process6 dnsIp7 90 8.8.7.7 GOOGLEUS United States 22->90 111 Uses ping.exe to sleep 22->111 113 Uses cmd line tools excessively to alter registry or file data 22->113 115 Uses ping.exe to check the status of other devices and networks 22->115 38 Ei8IYTWG2j.exe 2 22->38         started        41 PING.EXE 1 22->41         started        44 conhost.exe 22->44         started        46 conhost.exe 28->46         started        signatures8 process9 file10 82 C:\Users\user\AppData\Local\...\PMQFF87.exe, PE32+ 38->82 dropped 48 cmd.exe 1 38->48         started        51 conhost.exe 38->51         started        117 Uses cmd line tools excessively to alter registry or file data 41->117 53 reg.exe 1 1 41->53         started        55 PMQFF87.exe 1 41->55         started        57 conhost.exe 41->57         started        signatures11 process12 signatures13 99 Uses ping.exe to sleep 48->99 59 PMQFF87.exe 1 1 48->59         started        62 conhost.exe 48->62         started        64 PING.EXE 1 48->64         started        101 Creates multiple autostart registry keys 53->101 66 conhost.exe 55->66         started        process14 signatures15 119 Detected Bazar Loader 59->119 121 Detected unpacking (creates a PE file in dynamic memory) 59->121 123 Creates multiple autostart registry keys 59->123 68 cmd.exe 1 59->68         started        71 conhost.exe 59->71         started        process16 signatures17 109 Uses ping.exe to sleep 68->109 73 PMQFF87.exe 1 68->73         started        76 conhost.exe 68->76         started        78 PING.EXE 1 68->78         started        process18 dnsIp19 92 eehgimemjgip.bazar 73->92 95 dchiildkjiio.bazar 73->95 97 72 other IPs or domains 73->97 80 conhost.exe 73->80         started        signatures20 125 Detected Bazar Loader 95->125 127 Tries to resolve many domain names, but no domain seems valid 95->127 process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b/
Threat name:
Win64.Malware.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-04-01 17:44:13 UTC
AV detection:
4 of 29 (13.79%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=hw5lkeqshi3jkruei5hjvh2vakvj5xycfcsn7dymwm7dfceq2m5q._file
Verdict:
malicious
Similar samples:
05ce34031e655fdcea117c738f83a823109f3c9d17db39315fadeceb44ab7068
BazaLoader
0fb8a792dd48796bac2d508c1928aa539ced639ea99a5e2c9d6e2be5a7e82d43
BazaLoader
172dcb63c1df471b850a8ce06fbe8343cf82de322f2944f686a682c3793d2c03
BazaLoader
1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631
BazaLoader
1d921a846347be4c8cefbbf0449a40710408ecccf5cbbf99a0f8e41acb78881e
BazaLoader
258ad65c676c26e608f331bc538a985fd4ac019c6ca4229e4e197acaa93d82c4
BazaLoader
73bb27d72c97502d1c865e8d92870cac41c68e00f00084f6cc8de6bc43275a5b
BazaLoader
c38f9b32dc3e0632662c159f599972a9f800194b10d6486a6cf8de699aa611fc
BazaLoader
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
BazaLoader
f266bc35f9a52d2dc6e63fab03f8a6aab989639b9920e2afe5d2d4517340d3c9
BazaLoader
+ 106 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210401-76p5671ec2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b
MD5 hash:
d2749c21fa8671e75cd147380ff110e0
SHA1 hash:
2797fa0bcb834e4d52c068d266ada43f315ca59e
Link:
https://www.unpac.me/results/be2adcc6-8c60-45af-863f-13352db371c1/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 3dbab512123a36954684474e9a9f5502aa9edf0228a4df8f0cb33e328890d33b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1101164/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/131478/

Comments