MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
SHA3-384 hash: caf8360f7fc72672449cbccc6627c8647dc03fceb044f3b0471186811ba8213886a0f2834ec5a32471b1821654f81033
SHA1 hash: da5c234a0ba6570c6617e8fd4b89af5d624707a2
MD5 hash: b78aa5fc9bac26141f7cb3079bab900c
humanhash: virginia-oxygen-purple-fifteen
File name:triage_dropped_file
Download: download sample
Signature BazaLoader
Create hunting rule
File size:476'287 bytes
First seen:2021-08-26 14:35:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35890417b8426ce9add593489cc763e0 (5 x BazaLoader)
ssdeep 6144:MH9wwMZWjYVYbxiLlxrifcqhLxSOldE8zUH5h+pR5296Sm3iG0hjwR45Mw/YogcV:okFdK2aUpSFCp0LcjzCemnkHp
Threatray 59 similar samples on MalwareBazaar
TLSH T1BCA4AD4ACCC5EB87FD65883DECD862A6C5536B3C4E7EEAF768E4A03075240B98857113
Reporter malwarelabnet
Tags:BazaLoader BazarBackdoor exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
253
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
No threats detected
Analysis date:
2021-08-26 14:38:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b44653c3-393c-45d3-ac00-2092f5c7ad05

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182693/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
DNS request
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/476f5cc5-f7c9-4717-a4b1-fe8d4a26c8a6
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839850
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472283 Sample: triage_dropped_file Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 79 Detected Bazar Loader 2->79 81 Sigma detected: CobaltStrike Load by Rundll32 2->81 83 Sigma detected: Dridex Process Pattern 2->83 85 Sigma detected: Suspicious Svchost Process 2->85 10 loaddll64.exe 15 2->10         started        13 rundll32.exe 2->13         started        15 rundll32.exe 2->15         started        process3 signatures4 87 Contains functionality to inject code into remote processes 10->87 89 Sets debug register (to hijack the execution of another thread) 10->89 91 Writes to foreign memory regions 10->91 93 4 other signatures 10->93 17 cmd.exe 1 10->17         started        19 iexplore.exe 2 83 10->19         started        21 rundll32.exe 10->21         started        23 6 other processes 10->23 process5 process6 25 rundll32.exe 14 17->25         started        29 iexplore.exe 5 144 19->29         started        dnsIp7 57 94.140.112.22, 443, 49723, 49737 TELEMACHBroadbandAccessCarrierServicesSI Latvia 25->57 59 192.168.2.1 unknown unknown 25->59 95 System process connects to network (likely due to code injection or exploit) 25->95 97 Allocates memory in foreign processes 25->97 99 Modifies the context of a thread in another process (thread injection) 25->99 101 2 other signatures 25->101 31 svchost.exe 25->31         started        61 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49734, 49735 YAHOO-DEBDE United Kingdom 29->61 63 geolocation.onetrust.com 104.20.184.68, 443, 49716, 49717 CLOUDFLARENETUS United States 29->63 65 9 other IPs or domains 29->65 signatures8 process9 dnsIp10 67 myexternalip.com 34.117.59.81, 443, 49745 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 31->67 69 172.83.155.231, 443, 49738, 49741 CNSERVERSUS United States 31->69 71 System process connects to network (likely due to code injection or exploit) 31->71 73 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 31->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 31->75 77 Performs a network lookup / discovery via net view 31->77 35 net.exe 31->35         started        37 net.exe 31->37         started        39 net.exe 31->39         started        41 2 other processes 31->41 signatures11 process12 process13 43 conhost.exe 35->43         started        45 net1.exe 35->45         started        47 conhost.exe 37->47         started        49 net1.exe 37->49         started        51 conhost.exe 39->51         started        53 conhost.exe 41->53         started        55 conhost.exe 41->55         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mrj45k7dqsuwz6de2nuz6onbrmzxoxorgoksj7rtpnjf3jlspkuq._file
Verdict:
suspicious
Similar samples:
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
BazaLoader
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
BazaLoader
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
BazaLoader
d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434
BazaLoader
+ 49 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210826-pqf1fkm6ze/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
MD5 hash:
b78aa5fc9bac26141f7cb3079bab900c
SHA1 hash:
da5c234a0ba6570c6617e8fd4b89af5d624707a2
Link:
https://www.unpac.me/results/3fabe19a-3f2c-407e-a60c-bb4a107cfaa8/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/6453ceabe384/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182693/

Comments