MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4
SHA3-384 hash: 31f3763e7730f8b2cd90418d373d9d3e3429fb7d93f60f874e75f003fcac8ff72c18486ce4a8be6a8da9811cf54af5c6
SHA1 hash: 56b71f91e7a1455c530751d254c81d184a15dc4d
MD5 hash: e3e05d75c47fdb8a7a0941874fc11d06
humanhash: three-batman-double-bulldog
File name:StNsbaY.dat
Download: download sample
Signature BazaLoader
Create hunting rule
File size:481'809 bytes
First seen:2021-08-27 18:12:43 UTC
Last seen:2021-08-27 18:52:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 35890417b8426ce9add593489cc763e0 (5 x BazaLoader)
ssdeep 6144:JfhK4Oe8t9VVXESXclLbMD7CjcQJLSoxhKSwZHNKt6rAE4Div6qjtyFBO:ROJ3MlfMD7CVL9hgjMpEMmy2
Threatray 65 similar samples on MalwareBazaar
TLSH T15BA4AF8A9591A247FED58C79DCD8F1D2C6837B395D3ADAF37CE4E03068281A4D89B113
Reporter malware_traffic
Tags:BazaLoader BazarLoader dll exe


Avatar
malware_traffic
Run method: rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
2
# of downloads :
284
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
StNsbaY.dat
Verdict:
Malicious activity
Analysis date:
2021-08-26 22:21:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4b194c84-2663-45e3-8e19-153a3a6dd024

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182974/
Detection(s):
SecuriteInfo.com.Win64.BazarLoader.AZ.9736.2465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
Launching a process
Sending a UDP request
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/acbeea63-eee8-403d-bcf6-d0f5cefbccfe
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/840554
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472985 Sample: StNsbaY.dat Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 33 eravvi.bazar 2->33 35 ekwyom.bazar 2->35 37 16 other IPs or domains 2->37 61 Multi AV Scanner detection for submitted file 2->61 63 Sigma detected: CobaltStrike Load by Rundll32 2->63 65 Sigma detected: Suspicious Svchost Process 2->65 67 Sigma detected: Regsvr32 Command Line Without DLL 2->67 8 loaddll64.exe 15 2->8         started        11 rundll32.exe 2->11         started        13 rundll32.exe 2->13         started        signatures3 69 Detected Bazar Loader 35->69 71 Tries to resolve many domain names, but no domain seems valid 35->71 process4 signatures5 73 Contains functionality to inject code into remote processes 8->73 75 Sets debug register (to hijack the execution of another thread) 8->75 77 Writes to foreign memory regions 8->77 79 4 other signatures 8->79 15 regsvr32.exe 14 8->15         started        19 iexplore.exe 1 75 8->19         started        21 cmd.exe 1 8->21         started        23 6 other processes 8->23 process6 dnsIp7 51 94.140.112.22, 443, 49722, 49738 TELEMACHBroadbandAccessCarrierServicesSI Latvia 15->51 53 System process connects to network (likely due to code injection or exploit) 15->53 55 Allocates memory in foreign processes 15->55 57 Modifies the context of a thread in another process (thread injection) 15->57 59 2 other signatures 15->59 25 svchost.exe 15->25         started        29 iexplore.exe 159 19->29         started        31 rundll32.exe 21->31         started        signatures8 process9 dnsIp10 39 yzygvi.bazar 25->39 41 yzwyyw.bazar 25->41 47 213 other IPs or domains 25->47 81 System process connects to network (likely due to code injection or exploit) 25->81 83 Detected Bazar Loader 25->83 43 geolocation.onetrust.com 104.20.185.68, 443, 49713, 49714 CLOUDFLARENETUS United States 29->43 45 outbrain.map.fastly.net 151.101.14.132, 443, 49731, 49732 FASTLYUS United States 29->45 49 9 other IPs or domains 29->49 signatures11 85 Tries to resolve many domain names, but no domain seems valid 41->85
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-08-27 00:52:41 UTC
AV detection:
6 of 43 (13.95%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0938352aa544baf8939184b41aa37f1cc09839e77508180654ac6ba5e39e1c5e
BazaLoader
2049636dacf350e2d08a2c977750ccbf4b8cc13732aac3863be940facd7a5989
BazaLoader
542ef83f25fbe709d0eb6666fe9615d15a96e87dcd3f2e270a40a6ed9e017f12
BazaLoader
62e646b44c307979e5385208bf0c698a08f8db0b9bdb839815b8bcd5ed9e3a38
BazaLoader
6453ceabe384a96cf864d3699f39a18b33775dd1339524fe337b525da5727aa9
BazaLoader
82c4c174ad1822ac3c1a55b2e08e9987a9be2294f46508318e50f70566beab5c
BazaLoader
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
BazaLoader
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
BazaLoader
+ 55 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210827-lrr2b5g382/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4
MD5 hash:
e3e05d75c47fdb8a7a0941874fc11d06
SHA1 hash:
56b71f91e7a1455c530751d254c81d184a15dc4d
Link:
https://www.unpac.me/results/f4f2bd82-515a-4d21-b8a6-fd06a94c6dad/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182974/

Comments