MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
SHA3-384 hash: 642e210e8cc984ef0abf9f2f0753b5b62dcd03c3c56a8d538bc5399456dc885504ba02ab1ae9543ebc584a9d222dc3fa
SHA1 hash: dcd717e5262762b11d1ffe2465c4bce71bf44d18
MD5 hash: 8f216511aa115a119ee15a10d067e8f2
humanhash: happy-snake-missouri-pasta
File name:8f216511aa115a119ee15a10d067e8f2.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'104'896 bytes
First seen:2021-07-19 15:19:09 UTC
Last seen:2021-07-19 15:37:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 11816731f87952ce23da086b67eb30cb (2 x BazaLoader, 1 x Heodo)
ssdeep 12288:FnZXf44ytVS7r/5HD76bHb2mX9K2QgXoILaFdCaBSPZC1XZga5D:9ZXqQFD7KHlK21oIgIyXya5D
Threatray 213 similar samples on MalwareBazaar
TLSH T1F3354A157DE124BAC13EE132889693A136327C6947323BD71F8166B91AB4FF47A3D324
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
138
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8f216511aa115a119ee15a10d067e8f2.dll
Verdict:
No threats detected
Analysis date:
2021-07-19 15:22:19 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bf02a389-ebf6-446d-8c7b-947185cbb562

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172570/
Detection(s):
SecuriteInfo.com.Trojan.Win64.Ligooc.dm.28823.20278.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/e290a475-93e1-413a-9457-abab724c4f63
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad.troj
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818340
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450751 Sample: WOVngDEXHM.dll Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Sigma detected: CobaltStrike Load by Rundll32 2->39 41 Sigma detected: Suspicious Svchost Process 2->41 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 15 7->11         started        15 rundll32.exe 7->15         started        17 cmd.exe 1 7->17         started        19 16 other processes 7->19 dnsIp5 33 35.165.197.209, 443, 49716 AMAZON-02US United States 11->33 51 System process connects to network (likely due to code injection or exploit) 11->51 53 Sets debug register (to hijack the execution of another thread) 11->53 55 Writes to foreign memory regions 11->55 57 4 other signatures 11->57 21 svchost.exe 17 11->21         started        25 WerFault.exe 15->25         started        27 rundll32.exe 17->27         started        signatures6 process7 dnsIp8 29 3.101.57.185, 443, 49726, 49729 AMAZON-02US United States 21->29 31 myexternalip.com 34.117.59.81, 443, 49753 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->31 43 System process connects to network (likely due to code injection or exploit) 21->43 45 May check the online IP address of the machine 21->45 47 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->49 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-16 03:05:15 UTC
AV detection:
13 of 28 (46.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ll7ndtgmwew3b5w2t4s4ipiqwttdtfmidnsveyaezvxwuoimpewq._file
Verdict:
malicious
Similar samples:
2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141
BazaLoader
35b236fbe87c82a8481485fcf00f3a08749e7a7b49bb2adbd6729c72906a1a60
BazaLoader
5090fa74f83368086c1d197dcd28e51f8b36cd5d2c18e9a964d925a445ea0066
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
6c710694d270db91b550daf3177622514d2444e7484fb7a16aa2651cc20eb981
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
BazaLoader
8f9b032ff6f56a685f4c6f9eb57784811d6c98aa83b0c6371e81814edbcd2738
BazaLoader
ab1e662e687e0293800456f457071b61b659f4b247583ecfcda1a6584a0b16dd
BazaLoader
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
BazaLoader
+ 203 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210719-swgkkn8er6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
MD5 hash:
8f216511aa115a119ee15a10d067e8f2
SHA1 hash:
dcd717e5262762b11d1ffe2465c4bce71bf44d18
Link:
https://www.unpac.me/results/d0311dfd-0e04-4f47-8c45-2630867d09b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:GoBinTest
Create hunting rule
Rule name:golang
Create hunting rule
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172570/

Comments