MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067
SHA3-384 hash: 81fd1d7b8bffa00ec79bda97885ef030eb50f659aa5ee5950c02e3ff2425160782cfc0b1b4335671fe20dbfaa09c8ea6
SHA1 hash: 4e0d78a949fb7f5865ea981c64163d7870684b8d
MD5 hash: dc667ed66aae40d48560988fa222000d
humanhash: oscar-echo-fix-crazy
File name:peju3.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:860'292 bytes
First seen:2021-10-22 13:54:14 UTC
Last seen:2021-10-22 15:15:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b1fcbcae8023f460c7296a86404de9d2 (2 x BazaLoader)
ssdeep 12288:U0DgYq89aJyKXwAmliposlBT0sVxVTJU7RnVhGqYtZsUSdEPGR:U0DgRiUAzFsD35TJU7RnzS3sUcR
TLSH T1C6057C0AF7F84776D052827DC9938A8BE7F17CC58A70834B5291536E1E337919A3B326
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter James_inthe_box
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
215
Origin country :
n/a
Vendor Threat Intelligence
Detection:
bazarbackdoor
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199401/
Detection(s):
SecuriteInfo.com.LresultFromObject.17697.14045.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware keylogger overlay packed
Link:
https://www.filescan.io/uploads/6172c2b89a5a1e91c5cf4d7d/reports/70ea83c5-9c4e-44ef-9678-837a9d9e55a9/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/8d948dd3-7c68-4d17-b36e-c433e54548ff
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/875294
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507725 Sample: peju3.dll Startdate: 22/10/2021 Architecture: WINDOWS Score: 76 38 Detected Bazar Loader 2->38 40 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->40 7 loaddll64.exe 1 2->7         started        9 regsvr32.exe 2->9         started        process3 process4 11 regsvr32.exe 13 7->11         started        15 iexplore.exe 1 74 7->15         started        17 cmd.exe 1 7->17         started        19 rundll32.exe 7->19         started        dnsIp5 34 164.90.191.46, 443, 49766 DIGITALOCEAN-ASNUS United States 11->34 42 System process connects to network (likely due to code injection or exploit) 11->42 44 Writes to foreign memory regions 11->44 46 Allocates memory in foreign processes 11->46 48 2 other signatures 11->48 21 chrome.exe 11->21         started        36 192.168.2.1 unknown unknown 15->36 23 iexplore.exe 2 161 15->23         started        26 rundll32.exe 17->26         started        signatures6 process7 dnsIp8 28 dart.l.doubleclick.net 172.217.168.38, 443, 49824, 49825 GOOGLEUS United States 23->28 30 prod.appnexus.map.fastly.net 151.101.1.108, 443, 49826, 49827 FASTLYUS United States 23->30 32 14 other IPs or domains 23->32
Gathering data
Verdict:
malicious
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211022-q74s6acfbl/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067
MD5 hash:
dc667ed66aae40d48560988fa222000d
SHA1 hash:
4e0d78a949fb7f5865ea981c64163d7870684b8d
Link:
https://www.unpac.me/results/c940e3aa-7125-4647-be5e-d735f3b50c65/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/485a3c191731de674005bf28bb644672cfcc1bad58abb9b7d0f36d71d2973067

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/199401/

Comments