MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb
SHA3-384 hash: 7d44993bb44dcc7493b162eb1d89178050aab0ebb7e123b654791622c7ac4df0ad9d361fef23aa772869f7bccc8ec849
SHA1 hash: d46a1a708f2fc91815c3ed848c607dd6a5d9ec69
MD5 hash: 6bbd37a745495233a5273393e3573815
humanhash: alaska-king-item-neptune
File name:d46a1a708f2fc91815c3ed848c607dd6a5d9ec69.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:267'795 bytes
First seen:2021-08-05 20:32:45 UTC
Last seen:2021-08-05 22:03:48 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 6144:a/tGD3qpWqqLZ3J2wYtJkLJPSPuEZ6tcUxHW68waW4+T0kU5URG52H5HH5d:a/cDxqqLVJ2wqaV6PuS6tcUxHW6naW4U
Threatray 6 similar samples on MalwareBazaar
TLSH T12A447E76F39619A9F5C3C87EE306B2B1D1032C266BAAE591543F03F34075095DE66E23
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d46a1a708f2fc91815c3ed848c607dd6a5d9ec69.dll
Verdict:
No threats detected
Analysis date:
2021-08-05 20:36:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/248277c7-5c73-4dcb-b73d-0d32307e9909

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/176829/
Detection(s):
SecuriteInfo.com.Variant.Razy.902568.9588.8642.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/7b688756-75c4-43d9-8d69-5ddda39f1553
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/827753
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 460191 Sample: 8Y72hvAEZR.dll Startdate: 05/08/2021 Architecture: WINDOWS Score: 100 32 yzavom.bazar 2->32 34 waavyw.bazar 2->34 36 21 other IPs or domains 2->36 54 Multi AV Scanner detection for submitted file 2->54 56 Sigma detected: CobaltStrike Load by Rundll32 2->56 58 Sigma detected: Suspicious Svchost Process 2->58 60 Sigma detected: Regsvr32 Command Line Without DLL 2->60 8 loaddll64.exe 1 2->8         started        signatures3 62 Detected Bazar Loader 34->62 64 Tries to resolve many domain names, but no domain seems valid 34->64 process4 process5 10 regsvr32.exe 13 8->10         started        14 rundll32.exe 8->14         started        16 iexplore.exe 2 73 8->16         started        18 9 other processes 8->18 dnsIp6 50 164.90.164.50, 443, 49710, 49756 DIGITALOCEAN-ASNUS United States 10->50 52 192.168.2.1 unknown unknown 10->52 72 Contains functionality to inject code into remote processes 10->72 74 Sets debug register (to hijack the execution of another thread) 10->74 76 Writes to foreign memory regions 10->76 86 2 other signatures 10->86 20 svchost.exe 10->20         started        78 System process connects to network (likely due to code injection or exploit) 14->78 80 Allocates memory in foreign processes 14->80 82 Modifies the context of a thread in another process (thread injection) 14->82 24 svchost.exe 14->24         started        26 backgroundTaskHost.exe 14->26         started        28 iexplore.exe 2 155 16->28         started        30 rundll32.exe 18->30         started        signatures7 84 Detected Bazar Loader 50->84 process8 dnsIp9 38 yzygvi.bazar 20->38 40 yzekyw.bazar 20->40 46 198 other IPs or domains 20->46 66 System process connects to network (likely due to code injection or exploit) 20->66 68 Detected Bazar Loader 20->68 42 yrekyw.bazar 28->42 44 dart.l.doubleclick.net 142.250.186.102, 443, 49732, 49733 GOOGLEUS United States 28->44 48 13 other IPs or domains 28->48 signatures10 70 Tries to resolve many domain names, but no domain seems valid 42->70
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb/
Threat name:
Win64.Trojan.Kryplod
Create hunting rule
Status:
Malicious
First seen:
2021-08-05 20:33:04 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
14a459aaee0a8ef5851953fcef309cfa5a762e9bf001c758d46fed97d285ded0
BazaLoader
1a7ac36779e8df2854cd900ef836e9ba34ec63f7831ab3dc8862f75007841682
BazaLoader
70c2422033dd395c0a6c15b5e6dbdde34aa65b7481d4b8298e70e0c3e72a2182
BazaLoader
a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe
BazaLoader
d384dfdd90da4645a8d74956534cfcef7fcbbf4ed654e61b3d27384616b4bc4a
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210805-as7z1rjemn/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb
MD5 hash:
6bbd37a745495233a5273393e3573815
SHA1 hash:
d46a1a708f2fc91815c3ed848c607dd6a5d9ec69
Link:
https://www.unpac.me/results/a7d918de-0666-40a7-b557-775ea49fad1d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/176829/

Comments