MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
SHA3-384 hash: c2104b363e7d1658c811d1497ac85cb601b9296e595f4f7356688752678004c616a723d8cda31bfdeadc52fe2cc9107e
SHA1 hash: 45d3efcc0188e495aef8cd5b7ed6e0731b2fc594
MD5 hash: e31198c0a7e97c0584ad38f2c66d01b1
humanhash: lima-delaware-low-gee
File name:SecuriteInfo.com.VHO.Trojan-Dropper.Win32.Dapato.gen.22970.32639
Download: download sample
Signature BazaLoader
Create hunting rule
File size:201'216 bytes
First seen:2021-04-16 01:17:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash c1bf70b0284697c622bf36c94d083845 (1 x BazaLoader)
ssdeep 6144:VdgxX4K3UMRIzHok07anvXHGr+sU8bar:VCXTFREvXHGr+kw
Threatray 38 similar samples on MalwareBazaar
TLSH E3148D42F2E510FAE43BC63989515626FB3238326734DF1F47A047629E32BD19E2EB15
Reporter SecuriteInfoCom
Tags:BazaLoader

Intelligence

File Origin
# of uploads :
1
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.VHO.Trojan-Dropper.Win32.Dapato.gen.22970.32639
Verdict:
No threats detected
Analysis date:
2021-04-16 01:27:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5649e79a-9c8c-4986-91aa-bc066bb444f3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/135677/
Detection(s):
SecuriteInfo.com.VHO.Trojan-Dropper.Win32.Dapato.gen.22970.32639.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/679000
Signature
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8/
Threat name:
Win64.Trojan.Razy
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 23:28:21 UTC
File Type:
PE+ (Exe)
Extracted files:
4
AV detection:
10 of 47 (21.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=lmc4vyeiavb4hlocriwvurnpjey543jligl5fu6cnzchdxkm6kua._file
Verdict:
malicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
BazaLoader
7853a7780ad43f72a514ed0ad5a1f8f53f9d3470bbdb396a243091017002d84a
BazaLoader
799016c221ca00a1888ac6db3dbbc9e81f53870e3ce154e0e4020009da1fc0a6
BazaLoader
7b86d02140dd6e4b537d1ca6a7a7ec8df70caaece6db092b13da58633f055f9d
BazaLoader
85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad
BazaLoader
8dce89b8bd4dc3ed1a56c6742dce5adb92365efd4a8be103dfc0995dee92b06e
BazaLoader
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
BazaLoader
c6964b25bb2cb50f34145266c6143c96c530690274270058551e67ab5676e9b6
BazaLoader
dfd5e26b62d9731d93b2ce8ec87bbf70fd63e4cd4e04d44dad3d82ca2f5e90fa
BazaLoader
f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf
BazaLoader
+ 28 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210416-zsfa6c2waj/
Unpacked files
SH256 hash:
5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
MD5 hash:
e31198c0a7e97c0584ad38f2c66d01b1
SHA1 hash:
45d3efcc0188e495aef8cd5b7ed6e0731b2fc594
Link:
https://www.unpac.me/results/fdc0a479-78e9-4b15-8051-f7d560a4328f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/135677/
  
URLhaus
https://urlhaus.abuse.ch/url/1123898/
  
Delivery method
Distributed via web download

Comments