MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
SHA3-384 hash: 1bd0e5154c4d0b066a0c112c578387d066c1f11f2288707db2cea51ce65e4a74d5b646399c6b7411d9a793513e057048
SHA1 hash: 1364419833344aa6ab3f301059d43b9506197501
MD5 hash: 96764a0a62e66a147a3d4db0e59a6e34
humanhash: helium-march-london-wyoming
File name:rest.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:394'240 bytes
First seen:2021-05-05 22:20:40 UTC
Last seen:2021-05-05 22:58:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b7e261648ff26be2ffdbd713600ad55d (1 x BazaLoader)
ssdeep 12288:Kas/PVuNmL/dJ4OrQS+Q/F+Dgn91ZmkNE+yp:tNmhJ4OrQSfdwU9PmkNE+y
Threatray 59 similar samples on MalwareBazaar
TLSH 8C84AE83E2C210E5E07FDA71CBE55237FD2538136679EE1E42588A815F31BA06B79F06
Reporter Anonymous
Tags:BazaLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151004/
Detection(s):
SecuriteInfo.com.Artemis96764A0A62E6.9281.14432.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/712712
Signature
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-05 20:25:52 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=szr5yj2shgvjhtwm5wxhudku4eg66gg5c56sgeteumr2if22epka._file
Verdict:
malicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
BazaLoader
5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
BazaLoader
7853a7780ad43f72a514ed0ad5a1f8f53f9d3470bbdb396a243091017002d84a
BazaLoader
799016c221ca00a1888ac6db3dbbc9e81f53870e3ce154e0e4020009da1fc0a6
BazaLoader
7b86d02140dd6e4b537d1ca6a7a7ec8df70caaece6db092b13da58633f055f9d
BazaLoader
85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad
BazaLoader
a3b2528b5e31ab1b82e68247a90ddce9a1237b2994ec739beb096f71d58e3d5b
BazaLoader
a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d
BazaLoader
c6964b25bb2cb50f34145266c6143c96c530690274270058551e67ab5676e9b6
BazaLoader
dfd5e26b62d9731d93b2ce8ec87bbf70fd63e4cd4e04d44dad3d82ca2f5e90fa
BazaLoader
+ 49 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210505-mq8bqqpk6x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
MD5 hash:
96764a0a62e66a147a3d4db0e59a6e34
SHA1 hash:
1364419833344aa6ab3f301059d43b9506197501
Link:
https://www.unpac.me/results/d8667f8f-a7c2-44be-9916-ea54aaa1e224/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe 9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1197419/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/151004/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-05 23:00:31 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [C0026.002] Data Micro-objective::XOR::Encode Data
3) [C0052] File System Micro-objective::Writes File
4) [C0040] Process Micro-objective::Allocate Thread Local Storage
5) [C0041] Process Micro-objective::Set Thread Local Storage Value
6) [C0018] Process Micro-objective::Terminate Process