MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2
SHA3-384 hash: 5ea61687bde8e29e7872888f132c18c6e72081cfd6c3c535ec3013ed238d6ec0e0c7c1e9e717f18c055e870c661a6b62
SHA1 hash: f63a78a5118e7889f55b22e15f8bf343aa74e152
MD5 hash: 94a2be35bf73c613247ac1a48992cbb3
humanhash: berlin-carolina-aspen-berlin
File name:7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'643'800 bytes
First seen:2020-10-16 16:55:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash d5e25f759111ec5fa3f94e6fcaf0ce51 (1 x BazaLoader)
ssdeep 1536:/vJzHvFb1JMjFsq6xjFt1El7vx8PcO1g3DFuDDWVffONt7Z78ORUXD8pP:/RzPp4psNx/2yPcv3DeDWV+Nt7ZI+kY
TLSH B175C146613008C6C07932B211AEE7B37D55F0CE5D61C8CB3E186D656F7A1CA6C9FE8A
Reporter JAMESWT_WT
Tags:Absolut LLC BazaLoader BazarLoader signed

Code Signing Certificate

Organisation:Absolut LLC
Issuer:Sectigo RSA Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 1 00:00:00 2020 GMT
Valid to:Oct 1 23:59:59 2021 GMT
Serial number: B1AEA98BF0CE789B6C952310F14EDDE0
MalwareBazaar Blocklist:This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:SHA256
Thumbprint: 28324A9746EDBDB41C9579032D6EB6AB4FD3E0906F250D4858CE9C5FE5E97469
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
159
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72211/
Detection(s):
PUA.Win.Trojan.Generic-6629274-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/494005
Signature
Creates multiple autostart registry keys
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299452 Sample: Ghj736i4Ht Startdate: 16/10/2020 Architecture: WINDOWS Score: 84 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Uses ping.exe to sleep 2->72 74 Uses ping.exe to check the status of other devices and networks 2->74 11 Ghj736i4Ht.exe 2->11         started        14 cmd.exe 1 2->14         started        16 cmd.exe 1 2->16         started        18 2 other processes 2->18 process3 signatures4 84 Detected unpacking (changes PE section rights) 11->84 20 cmd.exe 1 11->20         started        23 reg.exe 1 1 14->23         started        25 YBRB3F5.exe 14->25         started        27 conhost.exe 14->27         started        29 YBRB3F5.exe 16->29         started        31 conhost.exe 16->31         started        33 reg.exe 1 16->33         started        process5 signatures6 76 Uses ping.exe to sleep 20->76 35 Ghj736i4Ht.exe 1 20->35         started        38 conhost.exe 20->38         started        40 PING.EXE 1 20->40         started        78 Creates multiple autostart registry keys 23->78 process7 file8 62 C:\Users\user\AppData\Local\...\YBRB3F5.exe, PE32+ 35->62 dropped 42 cmd.exe 1 35->42         started        process9 signatures10 82 Uses ping.exe to sleep 42->82 45 YBRB3F5.exe 1 42->45         started        48 conhost.exe 42->48         started        50 PING.EXE 1 42->50         started        process11 signatures12 86 Multi AV Scanner detection for dropped file 45->86 88 Detected unpacking (changes PE section rights) 45->88 90 Creates multiple autostart registry keys 45->90 52 cmd.exe 1 45->52         started        process13 signatures14 80 Uses ping.exe to sleep 52->80 55 YBRB3F5.exe 52->55         started        58 conhost.exe 52->58         started        60 PING.EXE 1 52->60         started        process15 dnsIp16 64 82.146.54.254, 443 THEFIRST-ASRU Russian Federation 55->64 66 185.105.1.149, 443 GCOREAT Luxembourg 55->66
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 18:19:17 UTC
File Type:
PE+ (Exe)
Extracted files:
1
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o2lrbdeoamw4s7n43ji3uvfifwczomjx7kwndh5ta3acc7kqz6ra._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/201016-xsc3dken22/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2
MD5 hash:
94a2be35bf73c613247ac1a48992cbb3
SHA1 hash:
f63a78a5118e7889f55b22e15f8bf343aa74e152
Link:
https://www.unpac.me/results/50fb3546-1716-4e2e-9c44-1b6fe65fcd56/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Bazar
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7697108c8e032dc97dbcda51ba54a82d85973137faacd19fb306c0217d50cfa2

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/72211/

Comments