MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
SHA3-384 hash: 4dcd784bcfec0314f549b89aa1ab520bf8e894d64b0e67bb87771796b2bd26b1820987494f32852959e6bca24e73df6c
SHA1 hash: e06d49bff5e1bd10ac0257b76b1f8bc897871840
MD5 hash: a29cfaebde6924f90896ceb62a73e613
humanhash: moon-harry-kentucky-pasta
File name:BDGmLjgM.dat
Download: download sample
Signature BazaLoader
Create hunting rule
File size:254'469 bytes
First seen:2021-07-13 20:18:19 UTC
Last seen:2021-07-13 20:36:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0d1a6b969b07e39da284fa6350077274 (2 x BazaLoader)
ssdeep 3072:n1mD7Jo7475RoucVCqIYnqnLv9qIauz2eU1aoIt60z5W9XT25g:n4JQ475Ro5luv9qIauz2exeT2O
Threatray 30 similar samples on MalwareBazaar
TLSH T186448EF1665034E2E6D6DC7DCB3EFBA8E41526332B22A0C115F71E864219AF6DF12853
Reporter malware_traffic
Tags:BazaLoader BazarLoader dll


Avatar
malware_traffic
Run method: rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
BDGmLjgM.dat
Verdict:
Malicious activity
Analysis date:
2021-07-13 20:02:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b88582a9-2520-4b13-8d5f-3498a9a046dd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/171512/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.30776.13166.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
IcedID
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/33c668b7-8ff4-4379-a35b-0b3387318fd4
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/815893
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 448304 Sample: BDGmLjgM.dat Startdate: 13/07/2021 Architecture: WINDOWS Score: 92 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Sigma detected: CobaltStrike Load by Rundll32 2->33 35 Sigma detected: Suspicious Svchost Process 2->35 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        process5 18 rundll32.exe 15 12->18         started        dnsIp6 25 18.237.106.160, 443, 49720 AMAZON-02US United States 18->25 27 192.168.2.1 unknown unknown 18->27 37 System process connects to network (likely due to code injection or exploit) 18->37 39 Sets debug register (to hijack the execution of another thread) 18->39 41 Writes to foreign memory regions 18->41 43 4 other signatures 18->43 22 svchost.exe 14 18->22         started        signatures7 process8 dnsIp9 29 13.56.160.68, 443, 49733, 49734 AMAZON-02US United States 22->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-07-13 20:19:04 UTC
AV detection:
7 of 29 (24.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sqybpqyjork4xc2glfaspa3qlneblr5w22fqqcp7ossexlml5mca._file
Verdict:
suspicious
Similar samples:
1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d
BazaLoader
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
BazaLoader
2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6
BazaLoader
5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
912127a88af6cce3c806e6e0c124c80986198e888ab22f65639f70accbf395e5
BazaLoader
bc8407aa092b9b316e72b6082699dd1432521f739eacfb57109bb1d759d89802
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
BazaLoader
+ 20 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210713-5nqqphsr3s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
MD5 hash:
a29cfaebde6924f90896ceb62a73e613
SHA1 hash:
e06d49bff5e1bd10ac0257b76b1f8bc897871840
Link:
https://www.unpac.me/results/6e08e3db-9569-4c1f-bd85-754f9d4ad53f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/171512/

Comments