MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 754a35180c3545e644e82f3a075779f49e99ba7a525dd580e437f13a81efd2b5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 754a35180c3545e644e82f3a075779f49e99ba7a525dd580e437f13a81efd2b5
SHA3-384 hash: 9f7f20ff7af221e2f954691755f26256ba8a065fb384f64cf7e6985aa464d1b3f80ad6630799e60315fe63cbc456f75f
SHA1 hash: acd210a0d0b6d5b9ea2de9d144ac77b9caf10348
MD5 hash: 0f7b89ff6abb28cf553688b31bdd31c5
humanhash: mexico-indigo-nitrogen-bakerloo
File name:acd210a0d0b6d5b9ea2de9d144ac77b9caf10348.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:86'534 bytes
First seen:2021-09-17 21:36:00 UTC
Last seen:2021-09-17 22:52:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash adde1077f8d3ceebcc22e3306c03ec71 (1 x BazaLoader)
ssdeep 1536:R+bIWQrjPQv5qLQlO4ke+lmqoeXuf9JQaindmHHIJcQFqOlaqqXeenCIniOkxrS:R+bIWQrjQ5g2oxoj3QaindmnIyQ8Olad
Threatray 11 similar samples on MalwareBazaar
TLSH T1C1836C8FFF4784A3D0F649BAE97E814FE41C74CE3C125A1A1F0875818A5132AADF7912
Reporter N3utralZ0ne
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
168
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
acd210a0d0b6d5b9ea2de9d144ac77b9caf10348.dll
Verdict:
No threats detected
Analysis date:
2021-09-17 21:37:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0821878c-cb3a-49cc-9817-706326b1f9f4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Bazar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/188848/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.474.6380.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Malware family:
TA551
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/ae5d3034-38e3-4316-8876-86be3549dbea
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/853080
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 485511 Sample: n5coKKBhuN.dll Startdate: 17/09/2021 Architecture: WINDOWS Score: 100 51 Detected Bazar Loader 2->51 53 Sigma detected: CobaltStrike Load by Rundll32 2->53 55 Sigma detected: Dridex Process Pattern 2->55 57 2 other signatures 2->57 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 14 9->11         started        15 rundll32.exe 14 9->15         started        17 iexplore.exe 2 83 9->17         started        19 5 other processes 9->19 dnsIp5 49 94.140.115.104, 443, 49828, 49844 NANO-ASLV Latvia 11->49 67 Sets debug register (to hijack the execution of another thread) 11->67 69 Writes to foreign memory regions 11->69 71 Allocates memory in foreign processes 11->71 73 Injects a PE file into a foreign processes 11->73 21 svchost.exe 11->21         started        75 System process connects to network (likely due to code injection or exploit) 15->75 77 Modifies the context of a thread in another process (thread injection) 15->77 79 Sample uses process hollowing technique 15->79 25 svchost.exe 15->25         started        27 iexplore.exe 5 122 17->27         started        29 rundll32.exe 19->29         started        signatures6 process7 dnsIp8 39 myexternalip.com 34.117.59.81, 443, 49864 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 21->39 41 134.255.254.76, 443, 49851, 49858 ACTIVE-SERVERSactive-serverscomDE Germany 21->41 59 System process connects to network (likely due to code injection or exploit) 21->59 61 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 21->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->63 65 Performs a network lookup / discovery via net view 21->65 31 net.exe 21->31         started        33 net.exe 21->33         started        43 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49807, 49808 YAHOO-DEBDE United Kingdom 27->43 45 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49809, 49810 FASTLYUS United States 27->45 47 10 other IPs or domains 27->47 signatures9 process10 process11 35 conhost.exe 31->35         started        37 conhost.exe 33->37         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/754a35180c3545e644e82f3a075779f49e99ba7a525dd580e437f13a81efd2b5/
Verdict:
suspicious
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
1a6cb237a384268d740b9c5dc54fba5f8cf738b142ecef58edceef314d2650b8
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
af98c1743907c9a1429a6f01446bab875cbd273935b4ecfcd1f1b4db430a8ece
BazaLoader
b3783552bf95bc8b30a28c8d590a5081193fd6a690403dfb400c240237c8c956
BazaLoader
bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
+ 1 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210917-1fxkwagfa4/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
754a35180c3545e644e82f3a075779f49e99ba7a525dd580e437f13a81efd2b5
MD5 hash:
0f7b89ff6abb28cf553688b31bdd31c5
SHA1 hash:
acd210a0d0b6d5b9ea2de9d144ac77b9caf10348
Link:
https://www.unpac.me/results/7afabbba-e702-4476-9b9f-5a50df7ba265/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/754a35180c3545e644e82f3a075779f49e99ba7a525dd580e437f13a81efd2b5

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/188848/

Comments