MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
SHA3-384 hash: fca2d4f5c06173b64da92957cc1a87539dc8c3e70a75f3edce89a0be64782550f34c15073eaea39511e049d3ffdbf5e8
SHA1 hash: 40bc0636ae02ccfb8fae6b61e5832394407820b6
MD5 hash: 2ef62d4e2ad507174fce279e35f05fb0
humanhash: monkey-one-high-william
File name:dl2_x64_19_393_47957_1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:542'346 bytes
First seen:2021-09-10 13:31:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bca3ee8a0e3f7bb5fa6ef50a7287a698 (5 x BazaLoader)
ssdeep 6144:aMvJlnNXXOyFHe3xwdFjkvAb4OOM5+Laayxq/j4i4Vh/bVi+YcDcBm3YwW0sD06F:amNZ83xwXjkc7mORiGb3vQOzsVF
Threatray 4 similar samples on MalwareBazaar
TLSH T134B44B2E5066154BFDA68C39DEC8B6E3C6977D3C8E36D5F3ACA0D2712D38151AD1A203
Reporter malwarelabnet
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dl2_x64_19_393_47957_1.dll
Verdict:
No threats detected
Analysis date:
2021-09-10 13:32:07 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/78b76136-14a2-4578-88d3-d9741088b331

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186892/
Detection(s):
SecuriteInfo.com.VHO.Trojan.Win64.Kryplod.gen.25049.6438.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Launching a process
Sending a UDP request
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bee756cc-0aea-468a-96fc-494fac757abd
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/848797
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481228 Sample: dl2_x64_19_393_47957_1.dll Startdate: 10/09/2021 Architecture: WINDOWS Score: 100 44 Multi AV Scanner detection for submitted file 2->44 46 Detected Bazar Loader 2->46 48 Sigma detected: CobaltStrike Load by Rundll32 2->48 50 Sigma detected: Suspicious Svchost Process 2->50 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 iexplore.exe 1 76 8->14         started        16 rundll32.exe 8->16         started        18 7 other processes 8->18 process5 20 rundll32.exe 14 12->20         started        24 iexplore.exe 146 14->24         started        dnsIp6 30 167.172.37.9, 443, 49850, 49951 DIGITALOCEAN-ASNUS United States 20->30 52 System process connects to network (likely due to code injection or exploit) 20->52 54 Sets debug register (to hijack the execution of another thread) 20->54 56 Writes to foreign memory regions 20->56 58 4 other signatures 20->58 26 svchost.exe 20->26         started        32 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49826, 49827 YAHOO-DEBDE United Kingdom 24->32 34 geolocation.onetrust.com 104.20.185.68, 443, 49780, 49781 CLOUDFLARENETUS United States 24->34 36 9 other IPs or domains 24->36 signatures7 process8 dnsIp9 38 whitestorm9p.bazar 26->38 40 tonuidem.bazar 26->40 42 19 other IPs or domains 26->42 60 System process connects to network (likely due to code injection or exploit) 26->60 62 Detected Bazar Loader 26->62 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 13:31:51 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210910-qsyzcsdcck/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
MD5 hash:
2ef62d4e2ad507174fce279e35f05fb0
SHA1 hash:
40bc0636ae02ccfb8fae6b61e5832394407820b6
Link:
https://www.unpac.me/results/51705eee-c05c-4d3f-92a5-41ea0890021a/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/976328794f91/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186892/

Comments