MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ee427939dfeb762770f0941f62abeb0113769d3af995b82ad3eae515363d5c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67ee427939dfeb762770f0941f62abeb0113769d3af995b82ad3eae515363d5c
SHA3-384 hash: 3a727aebd0cf58fcc68046cac79a095fdce4ceac4134dd030a18ccaa6dd721e817f9f48d8a2e2f65bf155fbe1c2643d4
SHA1 hash: ae9c8cb0dd61dd346c44947d6cea62f3922adcb1
MD5 hash: a65e8afb357cc7e47154244bd628fb69
humanhash: sixteen-autumn-blossom-purple
File name:67ee427939dfeb762770f0941f62abeb0113769d3af995b82ad3eae515363d5c
Download: download sample
Signature BazaLoader
Create hunting rule
File size:832'512 bytes
First seen:2021-05-18 20:53:11 UTC
Last seen:2021-05-18 21:44:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 05e395fe8493d6dfa71b416bc932eb12 (1 x BazaLoader)
ssdeep 12288:iElzs6OvC0QWk+r5nJKqeWHWCa0ha+HjJlMif1u+IWum:iEzs60ChW9r5nJKqeWHY0QKjMif1uf
Threatray 96 similar samples on MalwareBazaar
TLSH 5E058C83F7F552F5D0BBD5388DA2134AA9B13858973993CB6154C9190B33BE8AB3D321
Reporter Anonymous
Tags:BazaLoader BazarLoader

Intelligence

File Origin
# of uploads :
3
# of downloads :
136
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
67ee427939dfeb762770f0941f62abeb0113769d3af995b82ad3eae515363d5c
Verdict:
No threats detected
Analysis date:
2021-05-18 20:54:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d7b6e73c-22e8-46c7-8d48-330d65db7cb0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/158184/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36905264.4443.9754.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a custom TCP request
Sending a UDP request
DNS request
Sending an HTTP GET request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/784359
Signature
Detected Bazar Loader
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 416755 Sample: t1Zvr4oI5o Startdate: 18/05/2021 Architecture: WINDOWS Score: 76 27 udaravre.bazar 2->27 29 evysavre.bazar 2->29 31 18 other IPs or domains 2->31 48 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->48 50 Multi AV Scanner detection for submitted file 2->50 8 loaddll64.exe 1 2->8         started        signatures3 52 Detected Bazar Loader 29->52 54 Tries to resolve many domain names, but no domain seems valid 29->54 process4 process5 10 regsvr32.exe 13 8->10         started        14 iexplore.exe 2 84 8->14         started        16 rundll32.exe 8->16         started        18 4 other processes 8->18 dnsIp6 40 yzivwyvi.bazar 10->40 42 ywteavvi.bazar 10->42 44 310 other IPs or domains 10->44 56 System process connects to network (likely due to code injection or exploit) 10->56 58 Detected Bazar Loader 10->58 20 iexplore.exe 5 142 14->20         started        23 WerFault.exe 20 9 16->23         started        25 rundll32.exe 18->25         started        signatures7 60 Tries to resolve many domain names, but no domain seems valid 42->60 process8 dnsIp9 33 waatavom.bazar 20->33 36 img.img-taboola.com 20->36 38 10 other IPs or domains 20->38 signatures10 46 Tries to resolve many domain names, but no domain seems valid 33->46
Gathering data
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-13 23:37:38 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3b90a0400e326fe9249c6829be0fb43d64dabe38fbe903109f29c53899e74f5d
BazaLoader
42edefa09a3d85a3d4284f6ef57691c8b409ac00da21c799ae14b1adf17435f0
BazaLoader
42f597a7b0c1df670bb5d8f7d123fc923cacdc06a1a5fbfa325fc8598a895b02
BazaLoader
6903331c68ae731472d0096e25395c8057b28c44304eb9d2c8c9102cff5db0a1
BazaLoader
6c499f0fb04581d0b02d532cec44b9f39c571ac5d4ae7f0b4bff6957a5bab329
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
d22f536d4d6cc001271855f4467af0bbc656801e1ffa34a8acd905db56cebae0
BazaLoader
f0548ac778c8bcea06c577a13e7b0856b73838715c2fab1b1e83096e2333f82f
BazaLoader
f65f6ce210fbf3ae060466909d5ca1f518ae27a3aef61a6b3f0a594dfed7f248
BazaLoader
fb94f0c62b1eb990c2c39413cda78b45690e275aceb85af58bb84c887fc4bb67
BazaLoader
+ 86 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210518-5x8enkh12n/
Behaviour
Looks up external IP address via web service
Tries to connect to .bazar domain
Bazar/Team9 Loader payload
Bazar Loader
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/158184/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-18 21:00:48 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0012.001] Anti-Static Analysis::Argument Obfuscation
1) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
2) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
3) [C0052] File System Micro-objective::Writes File
4) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
5) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
6) [C0036.002] Operating System Micro-objective::Delete Registry Key::Registry
7) [C0036.007] Operating System Micro-objective::Delete Registry Value::Registry
8) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
9) [C0036.005] Operating System Micro-objective::Query Registry Key::Registry
10) [C0036.001] Operating System Micro-objective::Set Registry Key::Registry
11) [C0041] Process Micro-objective::Set Thread Local Storage Value
12) [C0018] Process Micro-objective::Terminate Process