MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12
SHA3-384 hash: 19791e1f6382c60f08c552e9ac63c2e66c93476bdd16b715c3263bf670fe5f0568f10e40b9b14ee564f6aed065ae36ed
SHA1 hash: ec698df0bede632a8d0a3d01742d4d8f88ad1ef7
MD5 hash: 6cb719c501f0b2a917df237f37a9ccb7
humanhash: mississippi-nebraska-ohio-whiskey
File name:stopSetInstall.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:633'983 bytes
First seen:2021-08-27 05:58:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35890417b8426ce9add593489cc763e0 (5 x BazaLoader)
ssdeep 6144:uP1vcksbe7cp8t7tkbVr8AFq8BgoWwK8ExPSpANCR6EDAAcUtRndNu7oiyRqengk:uHLoWwkxapzR6YBtlju7oiyRZKV1yz
Threatray 61 similar samples on MalwareBazaar
TLSH T1D9D43B9E5593314AFEF14C38FDE87AA2DA932E3C8D2ADAF35991B0313D24161D857213
Reporter 0x746f6d6669
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stopSetInstall.dll
Verdict:
No threats detected
Analysis date:
2021-08-27 05:58:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/543652af-4722-4082-acfc-49fa6c37be0a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182800/
Detection(s):
SecuriteInfo.com.Artemis6CB719C501F0.1192.24684.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/31f19950-1b4a-4d6c-ba3a-8db2c23a5491
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840193
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472621 Sample: stopSetInstall.dll Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 30 ygekvi.bazar 2->30 32 omekom.bazar 2->32 34 14 other IPs or domains 2->34 50 Sigma detected: CobaltStrike Load by Rundll32 2->50 52 Sigma detected: Suspicious Svchost Process 2->52 54 Sigma detected: Regsvr32 Command Line Without DLL 2->54 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        signatures3 56 Detected Bazar Loader 32->56 58 Tries to resolve many domain names, but no domain seems valid 32->58 process4 process5 12 regsvr32.exe 14 8->12         started        16 iexplore.exe 1 76 8->16         started        18 cmd.exe 1 8->18         started        20 5 other processes 8->20 dnsIp6 48 94.140.112.22, 443, 49734 TELEMACHBroadbandAccessCarrierServicesSI Latvia 12->48 66 System process connects to network (likely due to code injection or exploit) 12->66 68 Contains functionality to inject code into remote processes 12->68 70 Sets debug register (to hijack the execution of another thread) 12->70 72 5 other signatures 12->72 22 svchost.exe 12->22         started        26 iexplore.exe 2 152 16->26         started        28 rundll32.exe 18->28         started        signatures7 process8 dnsIp9 36 ygwyom.bazar 22->36 38 viekre.bazar 22->38 44 135 other IPs or domains 22->44 60 System process connects to network (likely due to code injection or exploit) 22->60 62 Detected Bazar Loader 22->62 40 geolocation.onetrust.com 104.20.184.68, 443, 49711, 49712 CLOUDFLARENETUS United States 26->40 42 dart.l.doubleclick.net 172.217.168.38, 443, 49717, 49718 GOOGLEUS United States 26->42 46 12 other IPs or domains 26->46 signatures10 64 Tries to resolve many domain names, but no domain seems valid 40->64
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12/
Verdict:
suspicious
Similar samples:
6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
BazaLoader
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
BazaLoader
d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434
BazaLoader
+ 51 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210827-yzteywq6gs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12
MD5 hash:
6cb719c501f0b2a917df237f37a9ccb7
SHA1 hash:
ec698df0bede632a8d0a3d01742d4d8f88ad1ef7
Link:
https://www.unpac.me/results/d8bb892a-7b7a-410e-8144-a1c638aa9fa1/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/542ef83f25fb/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182800/

Comments