MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e
SHA3-384 hash: d37fdd7b99eb17248ce40f38e7ac2544f8f72fdce382f9c0cc6105abfa77dc28306de10c5976a4489bf60fe861efaa04
SHA1 hash: 70c164d08608478ba36e1479f0277dffc4fd951f
MD5 hash: 6bf2a52b5755de865d691045806936f9
humanhash: tennis-solar-california-failed
File name:6bf2a52b5755de865d691045806936f9.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:361'472 bytes
First seen:2021-10-15 18:08:10 UTC
Last seen:2021-10-15 19:07:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 180d12f9cbd4e7ad2758d212b7c02930 (1 x BazaLoader)
ssdeep 6144:pHJGKt24zrhvsoWb9BHohiA2lZYjQ7B6TuvJ0VPRevpyB4LvW:pHkKFBsoeoV2lZYs7Duap
Threatray 31 similar samples on MalwareBazaar
TLSH T1AE74BF5932940CB9ECB74139C8535946E672BC164731DABF03A0436ADF2F7E1693EB21
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
262
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6bf2a52b5755de865d691045806936f9.dll
Verdict:
No threats detected
Analysis date:
2021-10-15 18:16:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b24933b9-7cf9-4cff-bff7-f698bc6721af

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Bazar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/197803/
Detection(s):
SecuriteInfo.com.generic.ml.9377.23868.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6169c3c09a5a1e91c5c0fa13/reports/f67b8565-67a4-4af6-9f82-0ebc40bb274d/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/779f2847-7c89-416a-b296-43e918aa4fd6
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/871287
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503711 Sample: vdbb9MZTVz.dll Startdate: 15/10/2021 Architecture: WINDOWS Score: 96 44 Multi AV Scanner detection for submitted file 2->44 46 Detected Bazar Loader 2->46 48 Sigma detected: Suspicious Svchost Process 2->48 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 iexplore.exe 1 73 8->14         started        16 regsvr32.exe 8->16         started        18 2 other processes 8->18 process5 20 rundll32.exe 14 12->20         started        24 iexplore.exe 2 162 14->24         started        dnsIp6 30 64.225.98.255, 443, 49749 DIGITALOCEAN-ASNUS United States 20->30 50 System process connects to network (likely due to code injection or exploit) 20->50 52 Contains functionality to inject code into remote processes 20->52 54 Sets debug register (to hijack the execution of another thread) 20->54 56 5 other signatures 20->56 26 svchost.exe 20->26         started        32 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49848, 49849 YAHOO-DEBDE United Kingdom 24->32 34 cm.g.doubleclick.net 172.217.168.34, 443, 49791, 49792 GOOGLEUS United States 24->34 36 29 other IPs or domains 24->36 signatures7 process8 dnsIp9 38 87.248.100.214, 443, 50495, 50498 YAHOO-IRDGB United Kingdom 26->38 40 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49894, 49929 YAHOO-IRDGB United Kingdom 26->40 42 9 other IPs or domains 26->42 58 System process connects to network (likely due to code injection or exploit) 26->58 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e/
Verdict:
malicious
Similar samples:
1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8
BazaLoader
542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12
BazaLoader
6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
BazaLoader
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
BazaLoader
8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4
BazaLoader
ed0c061e3de7a017b87fab71f5b1d9e9fe8b8ac416e7d9840fd59d198b4869cb
BazaLoader
fb46649e51c1b2fc47d3bc0a129563c7bcb6f7e5353d46e0a0bd2f1205d675b9
BazaLoader
+ 21 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/211015-wrfpaabcb3/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e
MD5 hash:
6bf2a52b5755de865d691045806936f9
SHA1 hash:
70c164d08608478ba36e1479f0277dffc4fd951f
Link:
https://www.unpac.me/results/8de31420-98fb-4ac5-8849-62fcb59e8bff/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/5a7d360225de/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1680842/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/197803/

Comments