MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
SHA3-384 hash: ec72e4ed82e75212a3af130d709642d5ee5fd3d0c226b8c7801b2c56651eb8a261a8767f71103357c710ef021c0730c6
SHA1 hash: 64041a20c3423cb515d382adaab72f3f29785984
MD5 hash: ef5aa56a8007d1581583ba0d0188c27f
humanhash: batman-twenty-finch-florida
File name:6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
Download: download sample
Signature BazaLoader
Create hunting rule
File size:568'832 bytes
First seen:2021-06-16 23:17:32 UTC
Last seen:2021-06-16 23:43:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 64acb232cfea7c0902338c183e37877f (1 x BazaLoader)
ssdeep 12288:MbTpAiJo2niGvSe3c5tIW49khRHKvU+/lqvWOW:MbT3/1vSe3c/phoUsl
Threatray 28 similar samples on MalwareBazaar
TLSH ABC49D41F6A041B5D07BD13AC9A38B4AEA723898973197CB4354971A3F337E59E3E321
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CvEbehl.dll
Verdict:
No threats detected
Analysis date:
2021-06-16 18:16:15 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/abb1c489-26ff-4690-af60-52eb5faac2d2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.generic.ml.29086.18863.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b6136104-5b32-4383-8efc-38f2d7d741da
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/803402
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 435813 Sample: eFy1E7EYGB Startdate: 17/06/2021 Architecture: WINDOWS Score: 92 38 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->38 40 Yara detected Bazar Loader 2->40 42 Sigma detected: CobaltStrike Load by Rundll32 2->42 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 14 9->11         started        14 rundll32.exe 14 9->14         started        16 cmd.exe 1 9->16         started        signatures5 52 Writes to foreign memory regions 11->52 54 Allocates memory in foreign processes 11->54 56 Modifies the context of a thread in another process (thread injection) 11->56 18 lsass.exe 17 11->18         started        58 System process connects to network (likely due to code injection or exploit) 14->58 60 Sample uses process hollowing technique 14->60 62 Injects a PE file into a foreign processes 14->62 21 lsass.exe 14->21         started        23 rundll32.exe 15 16->23         started        process6 dnsIp7 34 172.83.155.161, 443, 49735, 49736 CNSERVERSUS United States 18->34 26 cmd.exe 1 18->26         started        36 194.15.113.110, 443, 49714, 49715 INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB Ukraine 23->36 44 Allocates memory in foreign processes 23->44 46 Modifies the context of a thread in another process (thread injection) 23->46 48 Sample uses process hollowing technique 23->48 50 Injects a PE file into a foreign processes 23->50 28 lsass.exe 23->28         started        signatures8 process9 process10 30 conhost.exe 26->30         started        32 timeout.exe 1 26->32         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace/
Threat name:
Win64.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-06-16 23:18:11 UTC
AV detection:
2 of 42 (4.76%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a82ee0d5a11d5431581aa185cee32ab29103083a65e5ddaffed04809b16137c
BazaLoader
3c91963b604f32bb0fb91c2dc8771cfb86ef5ecbebb145e3515bdf5779972455
BazaLoader
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazaLoader
889e728a55b58b3a124d38610a30ae07150f78ca900dbef4fc15120ea49ec593
BazaLoader
bc6fa495ed90d846d0873b85a234b96d3d4bee7bb89dd47e02d02c0fb420725a
BazaLoader
bd22fdab541d4517cbf4b96b1986cd370ffc2532392a5b1801c819f67099f9da
BazaLoader
c38f9b32dc3e0632662c159f599972a9f800194b10d6486a6cf8de699aa611fc
BazaLoader
dbd56f0dc20aec5289e993087b32a9485ccea4ae9796c58c008eb946d7646a94
BazaLoader
de307ecbfecca217a680cdee9e11f367b6b2f95e06c909d1aa0ef209f228ff63
BazaLoader
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazaLoader
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210616-kbwfjfxc5j/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Unpacked files
SH256 hash:
6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
MD5 hash:
ef5aa56a8007d1581583ba0d0188c27f
SHA1 hash:
64041a20c3423cb515d382adaab72f3f29785984
Link:
https://www.unpac.me/results/7f076bf2-529e-4d18-bd8d-0f682038761c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments