MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d
SHA3-384 hash: cbcaec41073c38b39ba9eccb1a7deb16ffb11217edf86f19ddffa087c4c457d97c2d6ccfe79bc6a07f7cf09ce87563eb
SHA1 hash: 9889a9070a2eec23d05a09012c6873b5336db876
MD5 hash: 842d16f5bc020dd549b8c6e79fd39603
humanhash: batman-mountain-king-dakota
File name:89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d
Download: download sample
Signature BazaLoader
Create hunting rule
File size:921'088 bytes
First seen:2021-07-06 21:58:59 UTC
Last seen:2021-07-06 22:41:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9d4aeed4e0b676f10fe027a16f07d864 (1 x BazaLoader)
ssdeep 12288:HWJ+sWVXVQBmhAq7tAdrLY5Fg/YfAIvae4MLHvUWSpPqqCwX4i/Je7ZUYa3cyJ:M+NBhAuAdnY5Fc6aZSMF9CwImJetUKy
Threatray 35 similar samples on MalwareBazaar
TLSH 6C157B06F2B581B5D16FC03B86A6865AF77238915B3087CB52418B2E2F372E15F3A771
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d
Verdict:
No threats detected
Analysis date:
2021-07-06 22:03:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/0ee376d7-6b34-4665-85a2-3c065c26cff3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/170086/
Detection(s):
SecuriteInfo.com.generic.ml.18919.31110.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/07038191-539a-4675-892f-29f71090a190
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/812599
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Sigma detected: CobaltStrike Load by Rundll32
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 445010 Sample: 1DUGf1rRWe Startdate: 06/07/2021 Architecture: WINDOWS Score: 84 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Yara detected Bazar Loader 2->32 34 Sigma detected: CobaltStrike Load by Rundll32 2->34 9 loaddll64.exe 1 2->9         started        process3 process4 11 rundll32.exe 14 9->11         started        14 rundll32.exe 14 9->14         started        17 cmd.exe 1 9->17         started        dnsIp5 42 System process connects to network (likely due to code injection or exploit) 11->42 44 Writes to foreign memory regions 11->44 46 Allocates memory in foreign processes 11->46 28 52.27.52.252, 443, 49737, 49739 AMAZON-02US United States 14->28 48 Injects a PE file into a foreign processes 14->48 19 rundll32.exe 15 17->19         started        signatures6 process7 signatures8 36 Writes to foreign memory regions 19->36 38 Allocates memory in foreign processes 19->38 40 Injects a PE file into a foreign processes 19->40 22 chrome.exe 19->22         started        process9 process10 24 chrome.exe 22->24         started        26 chrome.exe 22->26         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d/
Threat name:
Win64.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-07-06 21:59:13 UTC
AV detection:
3 of 46 (6.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48
BazaLoader
1a82ee0d5a11d5431581aa185cee32ab29103083a65e5ddaffed04809b16137c
BazaLoader
447a0ab1979dfe2b0d3ebd7082dec8ad9fba6c8a34bef39217fa4f2c6073c5d8
BazaLoader
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazaLoader
6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
BazaLoader
b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417
BazaLoader
cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
BazaLoader
da64fd26d75960fad54e08303b805dfe4e050c5faea0737ed56cfc6d05af6b88
BazaLoader
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazaLoader
f25aca08079e42ada9ce9fbd59639686c7e87be6979943b8a8a555bedbe1a7cf
BazaLoader
+ 25 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210706-ja5tjc9evx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Loader payload
Bazar Loader
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d
MD5 hash:
842d16f5bc020dd549b8c6e79fd39603
SHA1 hash:
9889a9070a2eec23d05a09012c6873b5336db876
Link:
https://www.unpac.me/results/fd4de22f-33e5-49d0-b70c-a24b038e43aa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/170086/

Comments