MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
SHA3-384 hash: 29752c34d2af86ae9d65fbfdd6380ce217d149fed1023224cc47a2ca489aab0318324e387495366fe3868e94bf89dc5d
SHA1 hash: 3e4c96cd6e9aa227e4ac95fb4f31cdb952933883
MD5 hash: bfe434f1b9025699318b22e3cd682d0b
humanhash: montana-alabama-green-zebra
File name:8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
Download: download sample
Signature BazaLoader
Create hunting rule
File size:150'528 bytes
First seen:2021-07-17 18:46:54 UTC
Last seen:2021-07-17 19:32:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:8/caF9qoDTpJYzth+DhQ6GUiT9MJT7Hm1cjg6bbpa4X59WKFz:8kjKJchAQ6GUiqHHpjgIag5
Threatray 45 similar samples on MalwareBazaar
TLSH T1CEE35CE6238C5AC9D046BDBD8B35B777E0AAAC731F12C044F5622FC746345A98F14A83
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
Verdict:
No threats detected
Analysis date:
2021-07-17 18:50:10 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/da1f70d9-0e05-41d4-8680-29da7234d237

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172361/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37247707.20449.15715.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8db3e002-c37f-48cf-b19a-51c559e53866
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/817857
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450268 Sample: tvyoAl3ESL Startdate: 17/07/2021 Architecture: WINDOWS Score: 100 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Detected Bazar Loader 2->32 34 2 other signatures 2->34 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 15 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        dnsIp5 26 35.165.197.209, 443, 49716 AMAZON-02US United States 11->26 36 System process connects to network (likely due to code injection or exploit) 11->36 38 Sets debug register (to hijack the execution of another thread) 11->38 40 Writes to foreign memory regions 11->40 42 4 other signatures 11->42 19 svchost.exe 14 11->19         started        22 rundll32.exe 15->22         started        signatures6 process7 dnsIp8 24 3.101.57.185, 443, 49727, 49728 AMAZON-02US United States 19->24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rqubiexgibimmti6ongyitwmnkkoogdtpa3f2xm232e6m6dr2iha._file
Verdict:
suspicious
Similar samples:
2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9
BazaLoader
bc8407aa092b9b316e72b6082699dd1432521f739eacfb57109bb1d759d89802
BazaLoader
d4f8894bcfb45d9c5185af6978aa7340bdc3373833ff88fc8f2c46364650cc4f
BazaLoader
+ 35 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210717-yrsct3lqw2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Unpacked files
SH256 hash:
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
MD5 hash:
bfe434f1b9025699318b22e3cd682d0b
SHA1 hash:
3e4c96cd6e9aa227e4ac95fb4f31cdb952933883
Link:
https://www.unpac.me/results/8b9b9fdc-32c6-4478-9966-e61b006a5ac2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172361/

Comments