MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55
SHA3-384 hash: 84871157c848b5120765444adff0a98649926f5b5fd412baee6324826f0898f259c415dc3f0862765556558d2727149b
SHA1 hash: a6c8ce5f6db05cee6d144780a9c15822f86e9e76
MD5 hash: 64e0ad30c95db4ecd8ef0c3f8c2a86a0
humanhash: happy-ink-october-apart
File name:7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55
Download: download sample
Signature BazaLoader
Create hunting rule
File size:456'704 bytes
First seen:2020-11-03 13:43:39 UTC
Last seen:2020-11-03 16:04:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5a5ef1d77117c8a759a977061c706024 (1 x BazaLoader)
ssdeep 6144:HRTFhPSF8Paki5jVsOmVhk1181pk4Me9dSqPUNPjHyOOTZtJbutWE2d7O5GwyqUd:xTFhayJhDDzPUYhbvAiwgf8Wf
Threatray 159 similar samples on MalwareBazaar
TLSH 1FA4E01BB7A960F9D05AC234C8D21746E3F1B86E4B65178B0694873A7F273E1DD2B312
Reporter adulau
Tags:BazaLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/82051/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.44142666.10796.22534.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a window
Launching a process
Creating a file in the %temp% directory
Creating a process from a recently created file
Setting a single autorun event
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/519204
Signature
Creates multiple autostart registry keys
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 308702 Sample: RoMbR3QzCR Startdate: 03/11/2020 Architecture: WINDOWS Score: 68 64 egwn.xyz 2->64 70 Multi AV Scanner detection for submitted file 2->70 72 Uses ping.exe to sleep 2->72 74 Uses ping.exe to check the status of other devices and networks 2->74 12 RoMbR3QzCR.exe 2 2->12         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 2 other processes 2->18 signatures3 process4 process5 20 cmd.exe 1 12->20         started        23 reg.exe 1 1 14->23         started        25 S8UC20.exe 2 14->25         started        27 conhost.exe 14->27         started        29 S8UC20.exe 2 16->29         started        31 conhost.exe 16->31         started        33 reg.exe 1 16->33         started        signatures6 76 Uses ping.exe to sleep 20->76 35 RoMbR3QzCR.exe 3 20->35         started        38 conhost.exe 20->38         started        40 PING.EXE 1 20->40         started        78 Creates multiple autostart registry keys 23->78 process7 file8 62 C:\Users\user\AppData\Local\Temp\S8UC20.exe, PE32+ 35->62 dropped 42 cmd.exe 1 35->42         started        process9 signatures10 82 Uses ping.exe to sleep 42->82 45 S8UC20.exe 1 2 42->45         started        48 conhost.exe 42->48         started        50 PING.EXE 1 42->50         started        process11 signatures12 84 Multi AV Scanner detection for dropped file 45->84 86 Creates multiple autostart registry keys 45->86 52 cmd.exe 1 45->52         started        process13 signatures14 80 Uses ping.exe to sleep 52->80 55 S8UC20.exe 2 52->55         started        58 conhost.exe 52->58         started        60 PING.EXE 1 52->60         started        process15 dnsIp16 66 xobjective.com 34.238.84.181, 443 AMAZON-AESUS United States 55->66 68 onepolks.com 3.137.174.178, 443 AMAZON-02US United States 55->68
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55/
Threat name:
Win64.Trojan.Bazar
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 17:29:35 UTC
AV detection:
5 of 29 (17.24%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1ea7aff75af63e55b05fd2d3015df1a3edfd1fcdad8305e1ff64611d37d97ee4
BazaLoader
2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f
BazaLoader
5c59f12280cdfd8303296be2502e5800873fe8dd7aa800bddd18da475f787244
BazaLoader
609fef55693698a2bc7695a4bdc574cfb45b590bde4f4291f8d99bc7f25e266a
BazaLoader
8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e
BazaLoader
8c99069bcb559bf7d9606af7ba1538cc8bacd79b4f3846f7487ec3b5179ef9d5
BazaLoader
b16b088a2a3eb51d7ac1474e8de37a88a5f5b5db2ffaa6fe25457ca5a2688796
BazaLoader
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
BazaLoader
cf6683d18904fde78028d901f9282099e3dc24a2ce6157003dced3ae387bdcfb
BazaLoader
f54cec2b04daafb0a1d612ef84913a1d03ef61d7de8b4c144414378c4415ac09
BazaLoader
+ 149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201103-4714yj9mpe/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55
MD5 hash:
64e0ad30c95db4ecd8ef0c3f8c2a86a0
SHA1 hash:
a6c8ce5f6db05cee6d144780a9c15822f86e9e76
Link:
https://www.unpac.me/results/b7268f84-55bd-40ff-92b6-770fd17218bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bazar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7226219330a9bb9da14b7f056be6cab2e42e37a4a19fab6dfa626094f6b57c55

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82051/

Comments