MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9
SHA3-384 hash: f21b1d4e7af1419225c7219002d351df05bc67bc00ec16a0e7304f3043a252d0df0229c70b28591d534221c408701c0f
SHA1 hash: f5055217196c833ab7ef602f3b0f61802367d7b2
MD5 hash: a2514fac953de1e31ece31471716c852
humanhash: oscar-east-autumn-east
File name:a2514fac_by_Libranalysis
Download: download sample
Signature BazaLoader
Create hunting rule
File size:417'280 bytes
First seen:2021-05-20 05:01:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 973964cddf257e3032182325a079782d (1 x BazaLoader)
ssdeep 12288:tGVk91sDJaT1sTBfiL0GC/eshsAirokw0wM:tGVk919Zs++es1Uokw
Threatray 100 similar samples on MalwareBazaar
TLSH CF948D3D364945FCCC638A3CD6F75568D131398C8238AF97CF2841764E379429EAAA1E
Reporter Libranalysis
Tags:BazaLoader


Avatar
Libranalysis
Uploaded as part of the sample sharing project

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
a2514fac_by_Libranalysis
Verdict:
No threats detected
Analysis date:
2021-05-20 05:05:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/62007542-c268-4831-ab12-38aa1f2f831b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Downloader.3827.7506.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Transferring files using the Background Intelligent Transfer Service (BITS)
Sending a UDP request
Sending a custom TCP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/785772
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9/
Threat name:
Win64.Trojan.Ligooc
Create hunting rule
Status:
Malicious
First seen:
2021-05-19 21:53:01 UTC
AV detection:
4 of 47 (8.51%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uahkpgygbsc3lkipw5aqyl7vxzyzseanfilmqdy34c7uyznxjouq._file
Verdict:
malicious
Similar samples:
1eba154cdc2e540704eebfaca2f51fb643c44129911eb9b668f82ab95c1b157d
BazaLoader
2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748
BazaLoader
2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6
BazaLoader
4dc24a8bc92ce652fe90d90cfa7e1a9b4758955c79789daae6db825cbd1950a8
BazaLoader
5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341
BazaLoader
6c499f0fb04581d0b02d532cec44b9f39c571ac5d4ae7f0b4bff6957a5bab329
BazaLoader
726446fc55650c11f0b38966a30de5b2d0e10805f23cf22f0c13969e2fe2914a
BazaLoader
bdbe4c345b4e7c8ae008c86bb052f015050a7d62d28c3507eaaa329d00f30572
BazaLoader
cca0563ae1aac9447ba5e3f73cafc63a21671e478dc198695db6c698a2a17d2b
BazaLoader
f554be4d3d5b1f05f69038bbe54acb8e92ae5b0e45368e2108ecfde515dc8d9f
BazaLoader
+ 90 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210520-pjgkjptt56/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
Bazar Loader
BazarBackdoor
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1257693/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1257720/
  
URLhaus
https://urlhaus.abuse.ch/url/1257748/
  
URLhaus
https://urlhaus.abuse.ch/url/1257857/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-20 06:10:06 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0030.002] Command and Control::Receive Data
1) [B0030.001] Command and Control::Send Data
2) [C0011.001] Communication Micro-objective::Resolve::DNS Communication
3) [C0001.009] Communication Micro-objective::Initialize Winsock Library::Socket Communication
4) [C0001.006] Communication Micro-objective::Receive Data::Socket Communication
5) [C0001.007] Communication Micro-objective::Send Data::Socket Communication
6) [C0001.001] Communication Micro-objective::Set Socket Config::Socket Communication
7) [C0027.009] Cryptography Micro-objective::RC4::Encrypt Data
8) [C0021.004] Cryptography Micro-objective::RC4 PRGA::Generate Pseudo-random Sequence
9) [C0052] File System Micro-objective::Writes File
10) [C0034.001] Operating System Micro-objective::Set Variable::Environment Variable
11) [C0040] Process Micro-objective::Allocate Thread Local Storage
12) [C0038] Process Micro-objective::Create Thread
13) [C0041] Process Micro-objective::Set Thread Local Storage Value
14) [C0018] Process Micro-objective::Terminate Process