MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466
SHA3-384 hash: 81257ebc4e4c7a7e1a327c90db8e248a28c6f5386b69fbe7b9967e1e533d912c6086413bfd403be4bd988e79ae82ec82
SHA1 hash: 552e08916e2ea9e29ad26d7a0d2ae35091b84e25
MD5 hash: 7e907e0900c1980422d721a0fa805b56
humanhash: crazy-tango-king-item
File name:7e907e0900c1980422d721a0fa805b56.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:425'984 bytes
First seen:2021-02-13 20:07:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d69255e451e9c23b553083b8696640b (2 x TrickBot, 1 x BazaLoader)
ssdeep 6144:hJJXc3d7aQ2hSAjxqrMiYRTuzOys5yWYPMpemzE+c8MWnvzv6pRc:dXc3dLoSAorM5wMpe1OnvMR
Threatray 3'427 similar samples on MalwareBazaar
TLSH 5094BF37A488F9A1D6373A310C66D578062F5C4414035E4B3494BEDDAE3AB83AEB537E
Reporter abuse_ch
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
285
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
7e907e0900c1980422d721a0fa805b56.exe
Verdict:
Malicious activity
Analysis date:
2021-02-13 20:08:22 UTC
Tags:
trojan trickbot loader
Link:
https://app.any.run/tasks/6e1c5436-ba44-45d0-aad6-886fe521c59e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117045/
Detection(s):
Win.Trojan.Generic-9831714-0
Create hunting rule

SecuriteInfo.com.Variant.Graftor.919591.1451.21902.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Deleting a recently created file
Launching a process
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/607467
Signature
Allocates memory in foreign processes
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
Detection:
trickbot
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466/
Threat name:
Win32.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2021-02-12 21:55:57 UTC
AV detection:
18 of 29 (62.07%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=vzae6vleiwyut3fj7agkfmacpbn4lppxjvcd5ejt7b3axddqirta._file
Verdict:
malicious
Label(s):
trickbot
Create hunting rule
Similar samples:
1610f95a5fa7d0ff96c212663f92fd12e64fde5fbad5fae7849b9416d2518f10
BazaLoader
3a214b848b9d317e2c8dfdc7a2e55ee7893b6e4aadc335992d3425480c7eb8b6
BazaLoader
43bf403865a31b4b2628650b0dfd6486fd6b45e6ae2a52fa09433c3f5b7d3163
BazaLoader
449f24aec03bfd9f244e7102319fa6f9f3fccb1673b89b602faa3a52b1530c93
BazaLoader
5c90a4841123068f2eb34b3be47f8e7d8cb6409ddcb84f35d31acea6628a39de
BazaLoader
62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603
BazaLoader
6912d583576d9eb9caffadbe2c808c4d563dc5274a8197b8be8f253b03010da5
BazaLoader
98dd45b3ce7ca621aa88bad8750770c166ca9146b0ce916be6222d78b8c8fd78
BazaLoader
bb906b8a7a14d7441f2f28ef75834f8d2c80c1f1330c68f3ada238f824300f70
BazaLoader
f4f92a6ed4e8a88818db25823c89833364e1b4699588a631696262daa3212aee
BazaLoader
+ 3'417 additional samples on MalwareBazaar
Result
Malware family:
trickbot
Create hunting rule
Score:
  10/10
Tags:
family:trickbot botnet:yas28 banker trojan
Link:
https://tria.ge/reports/210213-c58ke5zrds/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Looks up external IP address via web service
Trickbot
Malware Config
C2 Extraction:
194.5.249.156:443
142.202.191.164:443
193.8.194.96:443
45.155.173.242:443
108.170.20.75:443
185.163.45.138:443
94.140.114.136:443
134.119.186.202:443
200.52.147.93:443
45.230.244.20:443
186.250.157.116:443
186.137.85.76:443
36.94.62.207:443
182.253.107.34:443
Unpacked files
SH256 hash:
e5091c9b010f7b5acc73bd04653a42af5ebcee31476a9fc05e9f4774c9f000a4
MD5 hash:
c6b43c403351bd6613e3e01223d2f9db
SHA1 hash:
1e2b311107d7f211e7d0a46221c394d9665f4128
Detections:
win_trickbot_a4
Create hunting rule
win_trickbot_g6
Create hunting rule
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e485fb5-c51c-4657-a8a4-ac56b76da813/
Parent samples :
43bf403865a31b4b2628650b0dfd6486fd6b45e6ae2a52fa09433c3f5b7d3163
ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466
62142855810fb30c3152b3da340820e864c06b0a0898b46f08c54e3743e86603
SH256 hash:
f80da17223d986a9d0f076b41684a71b6480de8cdaf62bdec5fa17110a5e4ded
MD5 hash:
054e155354e33337cdd7d1ec4f8014f7
SHA1 hash:
0a72002268b833b7afc563804774b2588fb07427
Detections:
win_trickbot_auto
Create hunting rule
Link:
https://www.unpac.me/results/8e485fb5-c51c-4657-a8a4-ac56b76da813/
SH256 hash:
ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466
MD5 hash:
7e907e0900c1980422d721a0fa805b56
SHA1 hash:
552e08916e2ea9e29ad26d7a0d2ae35091b84e25
Link:
https://www.unpac.me/results/8e485fb5-c51c-4657-a8a4-ac56b76da813/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe ae404f556445b149eca9f80ca2b002785bc5bdf74d443e9133f8760b8c704466

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1003007/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1003147/
Cape
Cape
https://www.capesandbox.com/analysis/117045/

Comments