MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
SHA3-384 hash:	5a46ca4b37ada49ce486bf85961d82b1672b1f704ce5b5abc5948ee7423ed0619655a6384961132ce7b3a2d19a320912
SHA1 hash:	51fa6e8f86364cba46b25798eebb9feafb7895a8
MD5 hash:	ef8dcdf16d30876906f23650156cdd6a
humanhash:	nineteen-alabama-sad-california
File name:	SecuriteInfo.com.Trojan.Siggen9.37965.23654.15927
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	615'104 bytes
First seen:	2020-04-14 19:39:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	bdf9bd1cb48197c63fe9a32a6e6e8c1b (1 x BazaLoader)
ssdeep	12288:OA+MGakKCwfxLdt+Ccw0Z2+TYxl/dif6yC:Oe9CSht+C0AXd
Threatray	2'788 similar samples on MalwareBazaar
TLSH	C2D45A4D125409BFE4A67178C48F6B44496028BD6BA3D7EBBA48B143FE233C5953363A
Reporter	SecuriteInfoCom
Tags:	BazaLoader

Code Signing Certificate

Organisation:	DigiCert High Assurance EV Root CA
Issuer:	DigiCert High Assurance EV Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	02AC5C266A0B409B8F0B79F2AE462577
Intelligence:	204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/1203/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.37965.23654.15927.UNOFFICIAL

PUA.Win.Downloader.Aiis-6803892-0

Result

Threat name:

Unknown

Detection:

suspicious

Classification:

n/a

Score:

26 / 100

Link:

https://www.joesandbox.com/analysis/341617

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

Win64.Trojan.Zudochka

Status:

Malicious

First seen:

2020-04-14 18:15:07 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

20 of 30 (66.67%)

Threat level:

5/5

Verdict:

malicious

BazaLoader

28a1206e5a8f79a94835e929ebef98ed896293513afbe427efe14371d6a8134f

BazaLoader

55d95d9486d77df6ac79bb25eb8b8778940bac27021249f779198e05a2e1edae

BazaLoader

5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d

BazaLoader

7984df6018af3f340757e48e5fb6105c6476c1832c23cb3ec9e0b8a08623436e

BazaLoader

835edf1ec33ff1436d354aa52e2e180e3e8f7500e9d261d1ff26aa6daddffc55

BazaLoader

8423fefddbb9197ebe12a5e51fb8f06e6dc2c02d6ef68b254faba0d6a63866c5

BazaLoader

ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7

BazaLoader

ce478fdbd03573076394ac0275f0f7027f44a62a306e378fe52beb0658d0b273

BazaLoader

ff670f0f84aef661b70217d00c15c0f0208c8ad2af072988c09941970b3b4081

BazaLoader

+ 2'778 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

exe b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/340290/

Delivery method

Distributed via web download

Cape

https://www.capesandbox.com/analysis/1203/

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings

ID	Title	Severity
CHECK_AUTHENTICODE	Missing Authenticode	high
CHECK_DLL_CHARACTERISTICS	Missing dll Security Characteristics (HIGH_ENTROPY_VA)	high
CHECK_PIE	Missing Position-Independent Executable (PIE) Protection	high

Reviews

ID	Capabilities	Evidence
WIN32_PROCESS_API	Can Create Process and Threads	KERNEL32.dll::CloseHandle
WIN_BASE_API	Uses Win Base API	KERNEL32.dll::TerminateProcess KERNEL32.dll::LoadLibraryW KERNEL32.dll::LoadLibraryA KERNEL32.dll::GetStartupInfoW KERNEL32.dll::GetCommandLineA
WIN_BASE_EXEC_API	Can Execute other programs	KERNEL32.dll::WriteConsoleW KERNEL32.dll::SetConsoleCtrlHandler KERNEL32.dll::SetStdHandle KERNEL32.dll::GetConsoleCP KERNEL32.dll::GetConsoleMode
WIN_BASE_IO_API	Can Create Files	KERNEL32.dll::CreateFileW
WIN_USER_API	Performs GUI Actions	USER32.dll::CreateWindowExW

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample