MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe
SHA3-384 hash: 2ce202bb76355dc3465aa82b857051e0487c0d89bd1e7d43a62dcf1d61ef6afdd0000d35f84f504adaa1c177a3a6832e
SHA1 hash: 6241b7d081a023c3b61db2bcba470b897e8adf2c
MD5 hash: b14a3e1c4cc77b3e5413b34d42a2d0fe
humanhash: freddie-illinois-london-winter
File name:vaq3.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:354'435 bytes
First seen:2021-08-02 13:35:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9daec1ba9c4b56f51c867c1eb2454189 (1 x BazaLoader)
ssdeep 6144:YUeWccBLr8Bc/c7dDcKEoBedhs4LNyhMJNx2:rXfBLr8ZCdhs6JX2
Threatray 34 similar samples on MalwareBazaar
TLSH T19D74BF245672089BFD3A817A9583454469B63833E734DEFF02E587591E1BFC18ABBF20
Reporter James_inthe_box
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
vaq3.dll
Verdict:
No threats detected
Analysis date:
2021-08-02 13:39:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a2d46cb-d80c-4219-a713-e16f050b0af5

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175816/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
DNS request
Launching a process
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/bbfe4190-3d61-4b24-87dc-571c2b4a0f66
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/825539
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 457951 Sample: vaq3.dll Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 42 Detected Bazar Loader 2->42 44 Sigma detected: CobaltStrike Load by Rundll32 2->44 46 Sigma detected: Suspicious Svchost Process 2->46 48 Sigma detected: Regsvr32 Command Line Without DLL 2->48 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 regsvr32.exe 14 7->11         started        15 iexplore.exe 1 74 7->15         started        17 cmd.exe 1 7->17         started        19 20 other processes 7->19 dnsIp5 38 143.198.58.231, 443, 49789 LDCOMNETFR United States 11->38 50 System process connects to network (likely due to code injection or exploit) 11->50 52 Contains functionality to inject code into remote processes 11->52 54 Sets debug register (to hijack the execution of another thread) 11->54 56 5 other signatures 11->56 21 svchost.exe 11->21         started        40 192.168.2.1 unknown unknown 15->40 24 iexplore.exe 2 150 15->24         started        26 rundll32.exe 17->26         started        signatures6 process7 dnsIp8 28 143.198.234.94, 443, 49813, 49814 LDCOMNETFR United States 21->28 30 143.198.78.177, 443, 49794, 49795 LDCOMNETFR United States 21->30 32 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49761, 49762 YAHOO-DEBDE United Kingdom 24->32 34 dart.l.doubleclick.net 216.58.209.38, 443, 49748, 49749 GOOGLEUS United States 24->34 36 14 other IPs or domains 24->36
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe/
Verdict:
suspicious
Similar samples:
447a0ab1979dfe2b0d3ebd7082dec8ad9fba6c8a34bef39217fa4f2c6073c5d8
BazaLoader
6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
BazaLoader
738f4267728385be1d6336685338a0af96f09587218dbc6b3b88db07d1326877
BazaLoader
89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d
BazaLoader
8fccef8c77091c260d0926d4ebe9ee80d79be2262360679a4d59c2a6efeca7ab
BazaLoader
b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417
BazaLoader
f25aca08079e42ada9ce9fbd59639686c7e87be6979943b8a8a555bedbe1a7cf
BazaLoader
f2caffa263687a0901d68e143af25169d67bac91489d6b62faa2727ed5bb49fe
BazaLoader
+ 24 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210802-hya3h25a8x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe
MD5 hash:
b14a3e1c4cc77b3e5413b34d42a2d0fe
SHA1 hash:
6241b7d081a023c3b61db2bcba470b897e8adf2c
Link:
https://www.unpac.me/results/01829310-1ec7-4d93-8d5b-a3b11a498df8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a66f69b2c2320fa2bb4b6ab429dd318903db14a56418acc54ecffac8c9592afe

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/175816/

Comments