MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Threat unknown


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00
SHA3-384 hash: 35f1068681d87ef437f927cfb919a76b798379db3281e1768ad6492ccb02337b253cbceabbf67d7bebdab98789930855
SHA1 hash: b1fc8fe4cc2e00479c8559ce4125af22175a1a07
MD5 hash: 6a124d95c5c5038daf38b7d0d8719996
humanhash: cup-colorado-south-jig
File name:6a124d95c5c5038daf38b7d0d8719996
Download: download sample
File size:445'440 bytes
First seen:2021-08-27 19:08:49 UTC
Last seen:2021-08-27 19:49:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b211bec2627ea9b5322d60ef3ed97e1a (2 x BazaLoader)
ssdeep 12288:BpmGo6NcFaOrWsrTrABM5iSFV5GfJLYNDBqkpg8D:BAGo6NcBtXrABM5imGfJLYpBqL8D
Threatray 24 similar samples on MalwareBazaar
TLSH T1B5940164941620CBF2EF0AF73210BA822165BC69BE7E67D782C2F7DD914472D788E345
Reporter zbetcheckin
Tags:exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
6a124d95c5c5038daf38b7d0d8719996
Verdict:
No threats detected
Analysis date:
2021-08-27 19:11:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/bedda9bb-5d54-430a-9186-acec016f74a7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182976/
Detection(s):
SecuriteInfo.com.Trojan.Razy.DDF239.19793.8027.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/5c7e789b-4434-41fb-8dad-542939bbd6a2
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/840566
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: CobaltStrike Process Patterns
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472997 Sample: 8TVwWT2vE3 Startdate: 27/08/2021 Architecture: WINDOWS Score: 92 95 Multi AV Scanner detection for submitted file 2->95 97 Sigma detected: UNC2452 Process Creation Patterns 2->97 99 Sigma detected: CobaltStrike Load by Rundll32 2->99 101 Sigma detected: CobaltStrike Process Patterns 2->101 12 loaddll64.exe 1 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 process4 18 rundll32.exe 12->18         started        20 rundll32.exe 12->20         started        23 cmd.exe 1 12->23         started        25 4 other processes 12->25 signatures5 27 cmd.exe 1 18->27         started        105 Uses cmd line tools excessively to alter registry or file data 20->105 30 cmd.exe 1 20->30         started        107 Uses ping.exe to sleep 23->107 109 Uses ping.exe to check the status of other devices and networks 23->109 33 rundll32.exe 23->33         started        35 cmd.exe 1 25->35         started        37 cmd.exe 1 25->37         started        process6 dnsIp7 121 Uses ping.exe to sleep 27->121 39 rundll32.exe 3 27->39         started        52 2 other processes 27->52 93 127.0.0.1 unknown unknown 30->93 42 rundll32.exe 30->42         started        44 conhost.exe 30->44         started        46 PING.EXE 1 30->46         started        48 rundll32.exe 35->48         started        54 2 other processes 35->54 50 rundll32.exe 37->50         started        56 2 other processes 37->56 signatures8 process9 file10 91 C:\Users\user\AppData\Local\...\bdlufrb.exe, PE32+ 39->91 dropped 58 cmd.exe 1 39->58         started        61 cmd.exe 1 39->61         started        63 cmd.exe 1 39->63         started        65 reg.exe 1 42->65         started        67 conhost.exe 42->67         started        process11 signatures12 117 Uses ping.exe to sleep 58->117 69 rundll32.exe 58->69         started        72 conhost.exe 58->72         started        74 PING.EXE 1 58->74         started        119 Uses cmd line tools excessively to alter registry or file data 61->119 76 reg.exe 1 1 61->76         started        78 conhost.exe 61->78         started        80 conhost.exe 63->80         started        process13 signatures14 111 Modifies the context of a thread in another process (thread injection) 69->111 113 Injects a PE file into a foreign processes 69->113 82 cmd.exe 1 69->82         started        85 cmd.exe 1 69->85         started        115 Creates an autostart registry key pointing to binary in C:\Windows 76->115 process15 signatures16 103 Uses cmd line tools excessively to alter registry or file data 82->103 87 conhost.exe 82->87         started        89 reg.exe 1 82->89         started        process17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 19:09:06 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
12f80d2865cf621a8209566ebcf1fae22efccd325c135b3ad69c37023631ea57
1bf28e7bb5cf75e005c6a8f647b7cd0a6a5b5e1455a8a902a81aef774aac27e6
502985c35a5b440dfc18d5dc12e524726567311ebabe35cddde961acbe718cbb
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
627219a8c4acc280da7a247fe4a6eb5f10e38a0f96bb31e11b6b22d0e616cc0e
76cdb9f1dd635489d8cf6cb294fe5805c95a090c6cf00aafe1a8a397da3b1f03
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
b0912554158dfc4bad48096f61b9312405ee97e802447fdfa52ed64ee4bf023d
b23360e8388e32799d7ffa2e427131a8d5d9aa0dfa9c46c1392c1de9032be54c
e0f0d4358a6f0c5a8b64bace8756e26086eee10ae7830c864c6b500bcc31b581
+ 14 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210827-fn4mkepfga/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00
MD5 hash:
6a124d95c5c5038daf38b7d0d8719996
SHA1 hash:
b1fc8fe4cc2e00479c8559ce4125af22175a1a07
Link:
https://www.unpac.me/results/c7542805-758d-41dd-896c-9586615411f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe 8a47b898b7c8aa16abef0d692c9c7bc123cee04c37027ac109df1c6d1fbd6f00

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/182976/

Comments


Avatar
zbet commented on 2021-08-27 19:08:49 UTC

url : hxxp://oaiqkkh.com/dll/44.dll