MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
SHA3-384 hash: ecaf42d9eddd64ba7cc64a87e153e1352f94030c553e020d29d258aed115f363b82d594f02ed1799653492c262ba687a
SHA1 hash: 78709487cadc1d995de9787c2735f52545d93526
MD5 hash: 1788ff60c96f28ec0386a838edaa48fb
humanhash: emma-cola-white-island
File name:1788ff60c96f28ec0386a838edaa48fb.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'654'784 bytes
First seen:2021-10-29 05:37:00 UTC
Last seen:2022-05-09 18:56:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ce543b95297c6bb89c2576e9105d106b (1 x BazaLoader)
ssdeep 12288:zZt9mlqOLdL6a+BN1CYqNdJcz1e/tXP2YM2NZRBB6KY2rn65hZF0xmmTXrbrL4:f9ml2P1orJcz1CXnM8tMQn65Lyxmon8
TLSH T117750916B3646591C0FBC17480836F52BA3078590B3667E74BC04669AF21BF8AE3DBF5
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
https://onedrive.live.com/download?cid=94158F45216FEB1F&resid=94158F45216FEB1F%21115&authkey=AAOZxTaEatL6UvE
Verdict:
Malicious activity
Analysis date:
2021-10-28 18:35:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6bca8a98-2adb-4ac2-a670-0e1d5c77ae34

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/47e3f17b-91b7-4f15-9126-b3de7f82b855
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
64 / 100
Link:
https://www.joesandbox.com/analysis/879030
Signature
Contains VNC / remote desktop functionality (version string found)
Creates an autostart registry key pointing to binary in C:\Windows
Sigma detected: UNC2452 Process Creation Patterns
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511461 Sample: ahKLbi30c8.dll Startdate: 29/10/2021 Architecture: WINDOWS Score: 64 66 Sigma detected: UNC2452 Process Creation Patterns 2->66 68 Contains VNC / remote desktop functionality (version string found) 2->68 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 process4 16 rundll32.exe 10->16         started        18 cmd.exe 1 10->18         started        21 rundll32.exe 10->21         started        23 rundll32.exe 10->23         started        signatures5 25 cmd.exe 1 16->25         started        70 Uses ping.exe to sleep 18->70 72 Uses ping.exe to check the status of other devices and networks 18->72 28 rundll32.exe 18->28         started        30 cmd.exe 1 21->30         started        process6 signatures7 74 Uses ping.exe to sleep 25->74 32 rundll32.exe 25->32         started        34 PING.EXE 1 25->34         started        37 conhost.exe 25->37         started        39 rundll32.exe 30->39         started        41 conhost.exe 30->41         started        43 choice.exe 1 30->43         started        process8 dnsIp9 45 cmd.exe 1 32->45         started        48 cmd.exe 1 32->48         started        62 192.0.2.38 unknown Reserved 34->62 process10 signatures11 78 Uses ping.exe to sleep 45->78 50 PING.EXE 1 45->50         started        53 conhost.exe 45->53         started        55 rundll32.exe 45->55         started        57 reg.exe 1 1 48->57         started        60 conhost.exe 48->60         started        process12 dnsIp13 64 192.0.2.119 unknown Reserved 50->64 76 Creates an autostart registry key pointing to binary in C:\Windows 57->76 signatures14
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nwh4zbilrr4wxy7werhr62atglivksdl3uzgvvv6pdvhc4trrw2a._file
Verdict:
unknown
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211029-ga8amshdeq/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
MD5 hash:
1788ff60c96f28ec0386a838edaa48fb
SHA1 hash:
78709487cadc1d995de9787c2735f52545d93526
Link:
https://www.unpac.me/results/cd251a91-93fb-4d16-9530-121d6e94b48f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments