MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
SHA3-384 hash: e2a2807d59c040cb97754e6c519e4765042bee23c584d1cf09934bc5be74b07aa10dbd12a6c161d8b02a05f8ff46abff
SHA1 hash: 96d6c37fa0046a8dc1c520249dc94122e0fb3f52
MD5 hash: 5f11f2db1295fa419b190bd7478d9b23
humanhash: september-pluto-twelve-sixteen
File name:5f11f2db1295fa419b190bd7478d9b23.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:254'474 bytes
First seen:2021-07-16 07:46:36 UTC
Last seen:2021-07-16 08:42:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d1a6b969b07e39da284fa6350077274 (2 x BazaLoader)
ssdeep 3072:n1mD7Jo7475RoucVCqIYnqnLv9qIauz2eU1aoIt60z5W9XT25p:n4JQ475Ro5luv9qIauz2exeT2n
Threatray 32 similar samples on MalwareBazaar
TLSH T1B3448EF1665034E2E6D6DC7DCB3EFBA8E41526332B22A0C115F71E864219AF6DF12853
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
141
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5f11f2db1295fa419b190bd7478d9b23.dll
Verdict:
No threats detected
Analysis date:
2021-07-16 07:49:32 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/690d7ef2-e109-4cec-a121-ccc79e7cfa23

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172120/
Detection(s):
SecuriteInfo.com.Variant.Razy.892983.1716.5346.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9a10e3de-ffde-4486-b03c-e3140f46f0cc
Result
Threat name:
Bazar Loader BazaLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817325
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected BazaLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 449736 Sample: 4pIt6BDKvj.dll Startdate: 16/07/2021 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Detected Bazar Loader 2->32 34 3 other signatures 2->34 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 15 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        dnsIp5 26 18.237.106.160, 443, 49718 AMAZON-02US United States 11->26 36 System process connects to network (likely due to code injection or exploit) 11->36 38 Sets debug register (to hijack the execution of another thread) 11->38 40 Writes to foreign memory regions 11->40 42 4 other signatures 11->42 19 svchost.exe 14 11->19         started        22 rundll32.exe 15->22         started        signatures6 process7 dnsIp8 24 13.56.160.68, 443, 49729, 49732 AMAZON-02US United States 19->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-07-14 19:30:00 UTC
AV detection:
11 of 29 (37.93%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q3jkubeyrpx4otwmzjozsvipm4ets2ntdkx2chg44ndwutczxj2a._file
Verdict:
suspicious
Similar samples:
1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d
BazaLoader
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
BazaLoader
2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
912127a88af6cce3c806e6e0c124c80986198e888ab22f65639f70accbf395e5
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
BazaLoader
+ 22 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210716-1gmjdjns1n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
MD5 hash:
5f11f2db1295fa419b190bd7478d9b23
SHA1 hash:
96d6c37fa0046a8dc1c520249dc94122e0fb3f52
Link:
https://www.unpac.me/results/eed05a02-f20b-44a7-b18f-d9caab7055db/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BazarBackdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172120/

Comments