MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
SHA3-384 hash: cd6d1bca93475e32256022355facee9723486cf99f6cf25abbefef527393556a44200bc168b1f39c82cbcf2f8911d051
SHA1 hash: 73776b5d6514216f52a1752f62d167c3c4649565
MD5 hash: 8f78b4017bd3746e7985dddd0ab8f57b
humanhash: twelve-monkey-enemy-muppet
File name:dl2_x64_19_393_47957_1_.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:542'346 bytes
First seen:2021-09-10 13:47:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bca3ee8a0e3f7bb5fa6ef50a7287a698 (5 x BazaLoader)
ssdeep 6144:aMvJlnNXXOyFHe3xwdFjkvAb4OOM5+Laayxq/j4i4Vh/bVi+YcDcBm3YwW0sD07F:amNZ83xwXjkc7mORiGb3vQOzssF
Threatray 5 similar samples on MalwareBazaar
TLSH T187B44B2E5066154BFDA68C39DEC8B6E3C6977D3C8E36D5F3ACA0D2712D38151AD1A203
Reporter malwarelabnet
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
dl2_x64_19_393_47957_1_.dll
Verdict:
No threats detected
Analysis date:
2021-09-10 13:49:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d299cabd-6124-4773-a88c-0fd1ca63606d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186898/
Detection(s):
SecuriteInfo.com.Artemis8F78B4017BD3.21448.11455.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Launching a process
Sending a UDP request
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4a043968-1603-4b23-9889-ab9c5ebccb10
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/848809
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481240 Sample: dl2_x64_19_393_47957_1_.dll Startdate: 10/09/2021 Architecture: WINDOWS Score: 92 47 Detected Bazar Loader 2->47 49 Sigma detected: CobaltStrike Load by Rundll32 2->49 51 Sigma detected: Suspicious Svchost Process 2->51 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 iexplore.exe 1 74 8->14         started        17 rundll32.exe 8->17         started        19 7 other processes 8->19 dnsIp5 21 rundll32.exe 14 12->21         started        45 192.168.2.1 unknown unknown 14->45 25 iexplore.exe 148 14->25         started        process6 dnsIp7 31 167.172.37.9, 443, 49888, 49949 DIGITALOCEAN-ASNUS United States 21->31 53 System process connects to network (likely due to code injection or exploit) 21->53 55 Sets debug register (to hijack the execution of another thread) 21->55 57 Writes to foreign memory regions 21->57 59 4 other signatures 21->59 27 svchost.exe 21->27         started        33 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49819, 49820 YAHOO-DEBDE United Kingdom 25->33 35 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49816, 49817 FASTLYUS United States 25->35 37 11 other IPs or domains 25->37 signatures8 process9 dnsIp10 39 whitestorm9p.bazar 27->39 41 tonuidem.bazar 27->41 43 18 other IPs or domains 27->43 61 System process connects to network (likely due to code injection or exploit) 27->61 63 Detected Bazar Loader 27->63 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 13:48:06 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210910-q34ycsabg2/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
MD5 hash:
8f78b4017bd3746e7985dddd0ab8f57b
SHA1 hash:
73776b5d6514216f52a1752f62d167c3c4649565
Link:
https://www.unpac.me/results/e38f1745-e01d-473e-bc3f-08a508c0fd21/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/9dcbcfbebaa3/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186898/

Comments