MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed
SHA3-384 hash:	4e0f06981a9709dca3f1a99ea58e75c08706b4e316b2167f007db8ad3e358c904c63825539fa510d59fb247b3b7a0c8f
SHA1 hash:	a97893ab95f794cabc261483423f942f552926d0
MD5 hash:	9ad20d0e6da3cf135a93bf162a0a8cfb
humanhash:	island-mobile-fourteen-twenty
File name:	9ad20d0e6da3cf135a93bf162a0a8cfb
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	295'616 bytes
First seen:	2021-01-23 13:44:24 UTC
Last seen:	2021-01-23 15:51:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0899f7c2fdc641feac29f81d14915ab0 (2 x BazaLoader)
ssdeep	6144:76Jv2YDXl50J1QD1WE+/CU3G0o+bNaywv:7dgXlfDYqWGP+gywv
Threatray	83 similar samples on MalwareBazaar
TLSH	C854BE477290B4E9E7614238895085ACD3A67C3D8B23DF9FD2607E893F362D04DF9629
Reporter	johannes
Tags:	BazaLoader BazarLoader

Intelligence

File Origin

# of uploads :

# of downloads :

403

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

https://complaintsreport2020.gr8.com/

Verdict:

Malicious activity

Analysis date:

2021-01-20 18:17:05 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5a2aa123-1788-4f89-a39b-fd6d494197ad

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/113625/

Detection(s):

SecuriteInfo.com.BackDoor.Bazar.55.3185.2755.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Changing a file

Sending a UDP request

DNS request

Sending a custom TCP request

Launching a process

Creating a process with a hidden window

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Bazar Loader

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/588867

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Writes to foreign memory regions

Yara detected Bazar Loader

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed/

Threat name:

Win64.Trojan.Bazarldr

Status:

Malicious

First seen:

2021-01-21 05:22:39 UTC

AV detection:

16 of 28 (57.14%)

Threat level:

5/5

Verdict:

malicious

BazaLoader

1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631

BazaLoader

1ea7aff75af63e55b05fd2d3015df1a3edfd1fcdad8305e1ff64611d37d97ee4

BazaLoader

26729effad95a8719e8716cb65aa5d5eb1ab255d4782f0d19471c1be963cffad

BazaLoader

2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f

BazaLoader

5c59f12280cdfd8303296be2502e5800873fe8dd7aa800bddd18da475f787244

BazaLoader

8c99069bcb559bf7d9606af7ba1538cc8bacd79b4f3846f7487ec3b5179ef9d5

BazaLoader

cf6683d18904fde78028d901f9282099e3dc24a2ce6157003dced3ae387bdcfb

BazaLoader

d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38

BazaLoader

f54cec2b04daafb0a1d612ef84913a1d03ef61d7de8b4c144414378c4415ac09

BazaLoader

+ 73 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

ransomware

Link:

https://tria.ge/reports/210123-6x9pnbkv6n/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Suspicious use of NtCreateUserProcessOtherParentProcess

Unpacked files

SH256 hash:

8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed

MD5 hash:

9ad20d0e6da3cf135a93bf162a0a8cfb

SHA1 hash:

a97893ab95f794cabc261483423f942f552926d0

Link:

https://www.unpac.me/results/36d18b9f-f259-4585-8172-51b9fa7c2900/

Malware family:

BazarLoader

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/8e244f1a5b46/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	win_bazarbackdoor_auto Create hunting rule
Author:	Felix Bilstein - yara-signator at cocacoding dot com
Description:	autogenerated rule brought to you by yara-signator