MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72322a8878b2f8df066d2f3b1d6bc53d8dd53a6287c3e65281a6eb5d74bffee0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72322a8878b2f8df066d2f3b1d6bc53d8dd53a6287c3e65281a6eb5d74bffee0
SHA3-384 hash: a563a23882ff8f28a0605f7d2b0a3bfee9a06cda1b86c778fa1c0ba3827a4f993383431d465f56bc89add198b5638a84
SHA1 hash: 5e0f6df0062267bc5ea647b3efc6eb90ca358fdc
MD5 hash: 1e5e12e62bd4876e286834b8b4ed179d
humanhash: avocado-washington-virginia-fillet
File name:vacug12.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:193'670 bytes
First seen:2021-09-13 15:36:06 UTC
Last seen:2021-09-13 17:23:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2e693c451958293f4a91702375b1fcab (2 x BazaLoader)
ssdeep 3072:SXwq1u2IQ0uefvtPVacfNCSloSSSCSt2zeZDSSSSSSSSSSSSSSSSSSSSSSSxsCPO:SXwSulfPCSloSSSCSt2zeZDSSSSSSSSR
Threatray 9 similar samples on MalwareBazaar
TLSH T19814AE07B2ED00F9D0AFC078C31B09AAA671B4996B15B76F17F412346D7A7B47B0D648
Reporter James_inthe_box
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/187513/
Detection(s):
SecuriteInfo.com.generic.ml.15274.16097.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
anti-debug monero overlay packed
Link:
https://www.filescan.io/uploads/617503359a5a1e91c5d1fd20/reports/ad1d6ef7-1deb-47db-bce8-5c580657818b/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/d502c3c4-b217-400b-942c-4f5f09a44b9c
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/849947
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 482379 Sample: vacug12.dll Startdate: 13/09/2021 Architecture: WINDOWS Score: 88 39 Sigma detected: CobaltStrike Load by Rundll32 2->39 41 Sigma detected: Suspicious Svchost Process 2->41 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 14 7->11         started        15 rundll32.exe 7->15         started        17 cmd.exe 1 7->17         started        19 20 other processes 7->19 dnsIp5 35 194.180.174.49, 443, 49854, 49905 MIVOCLOUDMD unknown 11->35 45 Sets debug register (to hijack the execution of another thread) 11->45 47 Writes to foreign memory regions 11->47 49 Allocates memory in foreign processes 11->49 51 Injects a PE file into a foreign processes 11->51 21 svchost.exe 11->21         started        53 System process connects to network (likely due to code injection or exploit) 15->53 55 Modifies the context of a thread in another process (thread injection) 15->55 57 Sample uses process hollowing technique 15->57 23 rundll32.exe 17->23         started        37 192.168.2.1 unknown unknown 19->37 26 iexplore.exe 147 19->26         started        signatures6 process7 dnsIp8 43 Contains functionality to inject code into remote processes 23->43 29 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49808, 49809 FASTLYUS United States 26->29 31 geolocation.onetrust.com 104.20.184.68, 443, 49760, 49761 CLOUDFLARENETUS United States 26->31 33 9 other IPs or domains 26->33 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/72322a8878b2f8df066d2f3b1d6bc53d8dd53a6287c3e65281a6eb5d74bffee0/
Verdict:
unknown
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
af98c1743907c9a1429a6f01446bab875cbd273935b4ecfcd1f1b4db430a8ece
BazaLoader
b3783552bf95bc8b30a28c8d590a5081193fd6a690403dfb400c240237c8c956
BazaLoader
bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210913-s2gsjseac8/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
72322a8878b2f8df066d2f3b1d6bc53d8dd53a6287c3e65281a6eb5d74bffee0
MD5 hash:
1e5e12e62bd4876e286834b8b4ed179d
SHA1 hash:
5e0f6df0062267bc5ea647b3efc6eb90ca358fdc
Link:
https://www.unpac.me/results/47c9db4a-37c9-4005-a000-a6f98a96a93a/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/72322a8878b2/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72322a8878b2f8df066d2f3b1d6bc53d8dd53a6287c3e65281a6eb5d74bffee0

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/187513/

Comments