MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
SHA3-384 hash: a6876246d246ee8997cc46dd3d892f753b600bc25e4bd687f794d10729ecd5c06121f9bb2aecaa0272d34a2763e3dade
SHA1 hash: 6037567a44fc6fd5e44519ab6a205ac53ba97fff
MD5 hash: d68207a53432cdab35cc3692b385f065
humanhash: carbon-arizona-bacon-zebra
File name:vWJpojwO.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:505'856 bytes
First seen:2021-07-29 16:11:16 UTC
Last seen:2021-07-29 16:49:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a20b734dd6778afe7198f19f86ad494d (1 x BazaLoader)
ssdeep 12288:60yCotCdmK6d2DHLej32Ea8uG8VgL8YwV:QTCgd+HLeZuG8VWw
Threatray 46 similar samples on MalwareBazaar
TLSH T1A7B48C45FAA485B5E06FD239C9B2864BE7B2349C4B7497CB4298872D2F336E15D3D320
Reporter malware_traffic
Tags:bazacall BazaLoader BazarCall BazarLoader dll


Avatar
malware_traffic
Run method: rundll32.exe [filename],GlobalOut

Intelligence

File Origin
# of uploads :
2
# of downloads :
230
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vWJpojwO.dll
Verdict:
No threats detected
Analysis date:
2021-07-29 16:13:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/fa8efa17-c066-4352-a13a-acdc3c10b407

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175103/
Detection(s):
SecuriteInfo.com..25662.15113.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/1597b54d-df71-419c-936c-a349f01ea7d1
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/823997
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 456415 Sample: vWJpojwO.dll Startdate: 29/07/2021 Architecture: WINDOWS Score: 100 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Detected Bazar Loader 2->35 37 Yara detected Bazar Loader 2->37 39 Sigma detected: Suspicious Svchost Process 2->39 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 rundll32.exe 14 8->12         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        dnsIp5 31 195.123.233.106, 443, 49697 GREENFLOID-ASUA Bulgaria 12->31 41 System process connects to network (likely due to code injection or exploit) 12->41 43 Contains functionality to inject code into remote processes 12->43 45 Sets debug register (to hijack the execution of another thread) 12->45 47 5 other signatures 12->47 20 svchost.exe 13 12->20         started        23 MpCmdRun.exe 1 16->23         started        25 rundll32.exe 16->25         started        signatures6 process7 dnsIp8 29 13.52.241.196, 443, 49708, 49709 AMAZON-02US United States 20->29 27 conhost.exe 23->27         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae/
Verdict:
malicious
Similar samples:
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
BazaLoader
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
BazaLoader
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
BazaLoader
+ 36 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor suricata
Link:
https://tria.ge/reports/210729-wp4mbab14a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
BazarBackdoor
suricata: ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)
suricata: ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)
Unpacked files
SH256 hash:
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
MD5 hash:
d68207a53432cdab35cc3692b385f065
SHA1 hash:
6037567a44fc6fd5e44519ab6a205ac53ba97fff
Link:
https://www.unpac.me/results/ed3b72f1-97ac-4e38-90a8-d55586dee807/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/175103/

Comments