MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611
SHA3-384 hash: 2397897ff1588c2097a38942a5264771f24bfcc4840e7786cb1db90801f257aa753164e6de608468b05a56fccecb537c
SHA1 hash: 5463468effca6dab58fb83361d3019191c2f67d9
MD5 hash: 2b512d583c1e81f27c846c3ccf1b0515
humanhash: autumn-pluto-stairway-network
File name:690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611
Download: download sample
Signature BazaLoader
Create hunting rule
File size:15'906'456 bytes
First seen:2020-10-20 16:47:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d3a2afb703bdefc4273681ac10f9f607 (9 x BazaLoader)
ssdeep 393216:SkAqt/8vHxlVvNJbYmb126bbQlv7gSREXQL+e5sOA:L0RlXJ0mb3Q2XV
Threatray 198 similar samples on MalwareBazaar
TLSH 22F6BE4277D68909E0A61730DDB382B81677BD519D35870F328CBA1EAFF36815C66B23
Reporter JAMESWT_WT
Tags:BazaLoader NOSOV SP Z O O signed

Code Signing Certificate

Organisation:NOSOV SP Z O O
Issuer:DigiCert EV Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Aug 21 00:00:00 2020 GMT
Valid to:Aug 18 12:00:00 2021 GMT
Serial number: 0BAB6A2AA84B495D9E554A4C42C0126D
Intelligence: 9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: E6FA7B4756B41B8EC049237B96A8C1DF2ADA4582E440A63D8FC3B0787C3EFEB8
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BazaLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/73591/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
DNS request
Launching cmd.exe command interpreter
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/498534
Signature
Allocates memory in foreign processes
Hijacks the control flow in another process
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 process2 2 Behavior Graph ID: 301257 Sample: oB9Lt9hcne Startdate: 20/10/2020 Architecture: WINDOWS Score: 64 5 oB9Lt9hcne.exe 40 2->5         started        9 oB9Lt9hcne.exe 21 2->9         started        dnsIp3 18 dghns.xyz 34.222.33.48, 443, 49754, 49756 AMAZON-02US United States 5->18 20 192.168.2.1 unknown unknown 5->20 24 Hijacks the control flow in another process 5->24 26 Writes to foreign memory regions 5->26 28 Allocates memory in foreign processes 5->28 30 3 other signatures 5->30 11 cmd.exe 15 5->11         started        14 conhost.exe 5->14         started        16 conhost.exe 9->16         started        signatures4 process5 dnsIp6 22 bigjamg.xyz 18.219.29.151, 443, 49761, 49768 AMAZON-02US United States 11->22
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611/
Threat name:
Win64.Trojan.Bazaloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 16:47:29 UTC
File Type:
PE+ (Exe)
Extracted files:
4919
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=neh7j3rwvhxagjem5dsfuyc6oghljb3y766odneptjksef23uyiq._file
Verdict:
malicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
BazaLoader
0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789
BazaLoader
34b416c0bc4803657acb69ad241de0e3a8b9c2d70769d57f8d041cc697a764c3
BazaLoader
665fdcff6c010772cfa701050b2bc5c7b008a0e8a73fa3c59e1dde546b78003b
BazaLoader
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
BazaLoader
bad9f0b937bc7a74cd5657127e7d1707ce024ccb5434044ef305dffd4307f29b
BazaLoader
c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5
BazaLoader
d3f27f0ba1900e461e292bf8f62028b60cac902ef71cbe455115d008c0ed27c6
BazaLoader
f471cbd53a52d27053c33c4fd18fe2305f94f947d8cc2275c3506fe74c2f11f5
BazaLoader
f5d920482e18df058cc0848a4e96d06af5322c05b3b61d3cf05800ab345d3edf
BazaLoader
+ 188 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
backdoor family:bazarbackdoor
Link:
https://tria.ge/reports/201020-cfshqanqja/
Behaviour
Modifies system certificate store
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blacklisted process makes network request
BazarBackdoor
Unpacked files
SH256 hash:
690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611
MD5 hash:
2b512d583c1e81f27c846c3ccf1b0515
SHA1 hash:
5463468effca6dab58fb83361d3019191c2f67d9
Link:
https://www.unpac.me/results/7a58da16-0e07-4716-817a-93ca188cee91/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bazar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/73591/

Comments