MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895
SHA3-384 hash: d5b86f836449fb66e6922c843abae5fcdc7ef0d634cacfb7794ecff1366e012d488453240b398ee4d51486153eeda8b6
SHA1 hash: 40da9f5cbba17001805ef6ebd920f99743f044cc
MD5 hash: 3398fc38ef281ae2268478dd621445a2
humanhash: apart-three-island-oranges
File name:WGEcMZQA.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:156'689 bytes
First seen:2021-10-16 09:33:26 UTC
Last seen:2021-10-16 11:24:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8734d13b604485dd72631733999be873 (1 x BazaLoader)
ssdeep 3072:1SCAfk5O3REv4JksXfeyREnB41qRsPav6KDhcMePnwQ5c44IZUA7:3Ac5aeoK41Mqav6KOzP3cRA7
Threatray 36 similar samples on MalwareBazaar
TLSH T1D0E3BFF3487792AAEC309D778794F43F639EF8A3D7A7018017A85A76866F481CC76106
Reporter Rony
Tags:BazaLoader BazarLoader dll exe X64

Intelligence

File Origin
# of uploads :
2
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
WGEcMZQA.dll
Verdict:
No threats detected
Analysis date:
2021-10-16 09:35:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/633af935-cb83-459f-b7d2-b52baaa9e7d8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197854/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.22068.1658.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
overlay packed
Link:
https://www.filescan.io/uploads/616a9c8c9a5a1e91c5c22c7a/reports/0ae65428-28ed-4f52-96d4-f4626492972c/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
TA551
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/f7e3945d-922d-4431-88bd-9cc14a1149f7
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/871473
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 503901 Sample: WGEcMZQA.dll Startdate: 16/10/2021 Architecture: WINDOWS Score: 100 95 Multi AV Scanner detection for submitted file 2->95 97 Detected Bazar Loader 2->97 99 Sigma detected: Dridex Process Pattern 2->99 101 Sigma detected: Suspicious Svchost Process 2->101 8 loaddll64.exe 20 2->8         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        process3 dnsIp4 75 5.255.97.236, 443, 49801, 49898 LITESERVERNL Netherlands 8->75 77 www-amazon-com.customer.fastly.net 162.219.225.118, 443, 49803, 49914 ALLO-COMMUS United States 8->77 79 7 other IPs or domains 8->79 103 Contains functionality to inject code into remote processes 8->103 105 Sets debug register (to hijack the execution of another thread) 8->105 107 Writes to foreign memory regions 8->107 109 4 other signatures 8->109 16 rundll32.exe 21 8->16         started        20 svchost.exe 8->20         started        22 iexplore.exe 2 83 8->22         started        24 3 other processes 8->24 signatures5 process6 dnsIp7 57 87.248.100.216, 443, 49902, 49917 YAHOO-IRDGB United Kingdom 16->57 59 www-amazon-com.customer.fastly.net 16->59 65 7 other IPs or domains 16->65 81 System process connects to network (likely due to code injection or exploit) 16->81 83 Allocates memory in foreign processes 16->83 85 Modifies the context of a thread in another process (thread injection) 16->85 93 2 other signatures 16->93 26 svchost.exe 16->26         started        61 www-amazon-com.customer.fastly.net 20->61 63 5.255.97.234, 443, 49915, 49928 LITESERVERNL Netherlands 20->63 67 9 other IPs or domains 20->67 87 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 20->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->89 91 Performs a network lookup / discovery via net view 20->91 28 net.exe 20->28         started        30 net.exe 20->30         started        32 net.exe 20->32         started        39 2 other processes 20->39 34 iexplore.exe 5 135 22->34         started        37 rundll32.exe 24->37         started        signatures8 process9 dnsIp10 41 conhost.exe 28->41         started        43 net1.exe 28->43         started        45 conhost.exe 30->45         started        47 net1.exe 30->47         started        49 conhost.exe 32->49         started        51 net1.exe 32->51         started        69 geolocation.onetrust.com 104.20.185.68, 443, 49777, 49778 CLOUDFLARENETUS United States 34->69 71 lg3.media.net 95.100.216.34, 443, 49775, 49776 AKAMAI-ASUS European Union 34->71 73 4 other IPs or domains 34->73 53 conhost.exe 39->53         started        55 conhost.exe 39->55         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895/
Threat name:
Win64.Trojan.GenericML
Create hunting rule
Status:
Malicious
First seen:
2021-10-16 01:25:00 UTC
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8
BazaLoader
43393c4b4dc45b4a736e2553cadcfae7e929b13e32b487e6e2bb316e614a647f
BazaLoader
5a7d360225defcc80b5d30efb865f76d377aaa044b5ec42c2c40a3359c968f3e
BazaLoader
8b00e9220d23392c11ef9d92a97a7240205bfd27981dccab0828fb358242ca02
BazaLoader
8ea46ac64f5af7bb295a8b784738fc11fc0fde1543d7da43c0f97f88950185c4
BazaLoader
ed0c061e3de7a017b87fab71f5b1d9e9fe8b8ac416e7d9840fd59d198b4869cb
BazaLoader
fb46649e51c1b2fc47d3bc0a129563c7bcb6f7e5353d46e0a0bd2f1205d675b9
BazaLoader
+ 26 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211016-ljrrgacfbr/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895
MD5 hash:
3398fc38ef281ae2268478dd621445a2
SHA1 hash:
40da9f5cbba17001805ef6ebd920f99743f044cc
Link:
https://www.unpac.me/results/0ab85b85-56b4-426e-957a-75d5348bd0fe/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/8f69a3a077e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/8f69a3a077e12b5e4ab5a446606f0fc226b827dcafb4f8e1768253b252dca895

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197854/

Comments