MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
SHA3-384 hash: c73a594839355e33e105dffa64fcdb8775fc53663d17ba3a25294f4049850a24a60f088613893095261c54e0f5f18cad
SHA1 hash: 00699d87f8176cd95f86360b9a62a0f844d55fcf
MD5 hash: e2d7ac464982da3105903697ff9194ac
humanhash: lithium-bacon-fifteen-undress
File name:8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:481'801 bytes
First seen:2021-08-26 22:43:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35890417b8426ce9add593489cc763e0 (5 x BazaLoader)
ssdeep 6144:JfhK4Oe8t9VVXESXclLbMD7CjcQJLSoxhKSwZHNKt6rAE4Div6qjtyFBP:ROJ3MlfMD7CVL9hgjMpEMmy3
Threatray 61 similar samples on MalwareBazaar
TLSH T193A4AF8A9591A247FED58C79DCD8F1D2C6837B395D3ADAF37CE4E03068281A4D89B113
Reporter N3utralZ0ne
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02.dll
Verdict:
No threats detected
Analysis date:
2021-08-26 22:44:34 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d03cfdb7-251f-4075-b952-9259f5159fc3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182774/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/75e0f92e-c38c-4e5b-9a56-c68252501eeb
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840118
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472546 Sample: o8qD5hnaJq.dll Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 39 yzjavre.bazar 2->39 41 toavvi.bazar 2->41 43 10 other IPs or domains 2->43 73 Multi AV Scanner detection for submitted file 2->73 75 Sigma detected: CobaltStrike Load by Rundll32 2->75 77 Sigma detected: Suspicious Svchost Process 2->77 9 loaddll64.exe 1 2->9         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 79 Detected Bazar Loader 41->79 81 Tries to resolve many domain names, but no domain seems valid 41->81 process4 process5 15 cmd.exe 1 9->15         started        17 rundll32.exe 9->17         started        20 iexplore.exe 2 83 9->20         started        25 5 other processes 9->25 23 conhost.exe 11->23         started        dnsIp6 27 rundll32.exe 14 15->27         started        63 System process connects to network (likely due to code injection or exploit) 17->63 65 Allocates memory in foreign processes 17->65 67 Modifies the context of a thread in another process (thread injection) 17->67 71 2 other signatures 17->71 31 svchost.exe 17->31         started        51 waavre.bazar 20->51 33 iexplore.exe 7 147 20->33         started        signatures7 69 Tries to resolve many domain names, but no domain seems valid 51->69 process8 dnsIp9 53 94.140.112.22, 443, 49723, 49743 TELEMACHBroadbandAccessCarrierServicesSI Latvia 27->53 55 192.168.2.1 unknown unknown 27->55 89 Contains functionality to inject code into remote processes 27->89 91 Sets debug register (to hijack the execution of another thread) 27->91 93 Writes to foreign memory regions 27->93 99 4 other signatures 27->99 35 svchost.exe 27->35         started        57 onekvi.bazar 33->57 59 geolocation.onetrust.com 104.20.185.68, 443, 49715, 49716 CLOUDFLARENETUS United States 33->59 61 15 other IPs or domains 33->61 signatures10 95 Tries to resolve many domain names, but no domain seems valid 57->95 97 Detected Bazar Loader 59->97 process11 dnsIp12 45 yzygvi.bazar 35->45 47 yztwyyw.bazar 35->47 49 137 other IPs or domains 35->49 83 System process connects to network (likely due to code injection or exploit) 35->83 85 Detected Bazar Loader 35->85 signatures13 87 Tries to resolve many domain names, but no domain seems valid 47->87
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 22:44:05 UTC
AV detection:
7 of 28 (25.00%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e
BazaLoader
2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989
BazaLoader
390145df647bf727bd629c4c4c77a211c0776f6b03eec501c35c377ed520165c
BazaLoader
6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
BazaLoader
82c4c174ad1822ac3c1a55b2e08e9987a9be2294f46508318e50f70566beab5c
BazaLoader
cbf60d6fa0473f1a0290e278479a1786daea784d7dc2a63198292f7a9ec1a2a1
BazaLoader
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
BazaLoader
+ 51 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210826-24c5wxj636/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
MD5 hash:
e2d7ac464982da3105903697ff9194ac
SHA1 hash:
00699d87f8176cd95f86360b9a62a0f844d55fcf
Link:
https://www.unpac.me/results/9425f7b2-cf04-4524-8ce8-1e3983f04ba8/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8b00e9220d23/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182774/

Comments