MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c
SHA3-384 hash: c545e9349067baef36b2e479d1936806c2dd7428d5241e1fd627cb1165216c18bf472f463f5f263cc9595dfd80c9df04
SHA1 hash: 407852c802d47e368f8e92a14c3b107eb34ec68b
MD5 hash: e213401158fcd632f758cd8bda224c7a
humanhash: zebra-network-steak-pasta
File name:resource.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:421'376 bytes
First seen:2021-12-07 23:28:49 UTC
Last seen:2021-12-08 01:35:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4755b9a9aec93c05c955ca11140bdc5 (8 x BazaLoader, 3 x IcedID)
ssdeep 12288:u/7JaU00nZM7ct5bfWf59PbHRE0QKQpq5XN+46YCAj:uDJznZ2cTbSrO0QKQpq5XNOAj
Threatray 24 similar samples on MalwareBazaar
TLSH T154948D78AB5808E5C7EAD776456B39F4637332D30AC39E9D019D73C20E2B3626F59A04
Reporter N3utralZ0ne
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
resource.dll
Verdict:
No threats detected
Analysis date:
2021-12-07 23:33:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/80002923-906f-4597-8ec7-e828dd95668b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/212294/
Detection(s):
SecuriteInfo.com.UDS.Trojan.Win32.Injector.9.24281.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/1272/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61afee404d8e6f3a5e1814db/reports/0407a0e0-d842-4b49-9054-05773140d6a8/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/bc2839b5-57b7-4c0b-ae98-e35a20ed2fac
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/903521
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 535999 Sample: resource.dll Startdate: 08/12/2021 Architecture: WINDOWS Score: 68 30 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->30 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 13 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 4 other processes 7->19 dnsIp5 28 87.120.37.71, 443, 49734 NETERRA-ASBG Bulgaria 11->28 32 System process connects to network (likely due to code injection or exploit) 11->32 34 Writes to foreign memory regions 11->34 36 Allocates memory in foreign processes 11->36 38 2 other signatures 11->38 21 chrome.exe 13 11->21         started        24 rundll32.exe 15->24         started        signatures6 process7 dnsIp8 26 87.120.37.64, 443, 49867 NETERRA-ASBG Bulgaria 21->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-12-07 23:29:10 UTC
File Type:
PE+ (Dll)
AV detection:
18 of 28 (64.29%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
icedid
Create hunting rule
Similar samples:
02c8c4d08cdd2bc230e6ed2676d20867eb4fb733bf254432ac6d339d7406b8f9
BazaLoader
03212850d80dd26f4b6706024516f1834e7b8ae9fc31231b2a624106242c4838
BazaLoader
14cc39c7804ff5f599fc801d763a7973f5a99a0d510327a86b1b3f0f25a8fe49
BazaLoader
2329018641118f8138f32a49b862312cb416c939854bb8fc953e08a5e25ced1d
BazaLoader
46e596461f8ee1fd4d63bd1a2e7366a938e06f19750cfc90a9609edbce7381a1
BazaLoader
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd
BazaLoader
d077743292e27a294562add0dae83490213912881c34ee083c2e8b32899eda30
BazaLoader
d1c628414464ca89e07404650c490ca1e3dfab596b4ec603e3811d37f48bbf7c
BazaLoader
+ 14 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211207-3gj3aagec5/
Behaviour
Blocklisted process makes network request
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c
MD5 hash:
e213401158fcd632f758cd8bda224c7a
SHA1 hash:
407852c802d47e368f8e92a14c3b107eb34ec68b
Link:
https://www.unpac.me/results/a74cf0be-b29b-44c5-8fd6-69bb3a329c44/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4a5f37ff394af7a750b1933c3e77b927043e933bfa715c917c824fbc645c940c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/212294/

Comments