MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331
SHA3-384 hash: f5095d7e412ee0d6ea094d05edabe1ff0eddaa2e53233a8fb79fe52e917785c70f642f118a31e2524190c72954418efc
SHA1 hash: 7be37d84635e448781d82fb3225d1537e4a71f52
MD5 hash: cd3e23cddeb92b7397eaf960da34c237
humanhash: mirror-uncle-hydrogen-spring
File name:cd3e23cddeb92b7397eaf960da34c237.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:136'704 bytes
First seen:2021-10-29 08:09:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash ad3ffaf0584336c12d7303af68597f29 (1 x BazaLoader)
ssdeep 3072:bKfk4isEZeMyM0BsEkxyzPZzihfXSO5vNFYVtZakBLj8fMTcE1B:mfk4isfNM+XOyzP1ihff3FYVT3JzTV
Threatray 47 similar samples on MalwareBazaar
TLSH T1E7D3DF42EDADA763FC045970DCB6B1CBD529347747B0469E2B3AD2A41F13641E82BE38
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
135
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cd3e23cddeb92b7397eaf960da34c237.dll
Verdict:
No threats detected
Analysis date:
2021-10-29 16:42:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/544efbd3-bcfd-499e-a376-848f0508e737

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4db4c93c-8d8c-49b5-a745-eb525bc6a933
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/879146
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 511576 Sample: EHitkw3MCI.dll Startdate: 29/10/2021 Architecture: WINDOWS Score: 76 67 Multi AV Scanner detection for submitted file 2->67 69 Sigma detected: UNC2452 Process Creation Patterns 2->69 11 rundll32.exe 2->11         started        14 loaddll64.exe 1 2->14         started        16 rundll32.exe 2->16         started        process3 signatures4 77 Writes to foreign memory regions 11->77 79 Modifies the context of a thread in another process (thread injection) 11->79 81 Injects a PE file into a foreign processes 11->81 18 cmd.exe 1 11->18         started        21 cmd.exe 1 11->21         started        23 chrome.exe 11->23         started        25 cmd.exe 1 14->25         started        27 rundll32.exe 14->27         started        29 rundll32.exe 14->29         started        31 rundll32.exe 14->31         started        process5 signatures6 33 reg.exe 1 18->33         started        35 conhost.exe 18->35         started        37 conhost.exe 21->37         started        39 reg.exe 1 21->39         started        71 Uses cmd line tools excessively to alter registry or file data 25->71 41 rundll32.exe 25->41         started        process7 process8 43 cmd.exe 1 41->43         started        process9 45 rundll32.exe 43->45         started        47 conhost.exe 43->47         started        49 choice.exe 1 43->49         started        process10 51 cmd.exe 1 45->51         started        54 cmd.exe 1 45->54         started        signatures11 73 Uses cmd line tools excessively to alter registry or file data 51->73 56 reg.exe 1 1 51->56         started        59 conhost.exe 51->59         started        61 rundll32.exe 54->61         started        63 conhost.exe 54->63         started        65 choice.exe 1 54->65         started        process12 signatures13 75 Creates an autostart registry key pointing to binary in C:\Windows 56->75
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-28 21:09:46 UTC
AV detection:
6 of 45 (13.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wkslmdoqy7u57jwyr2n23lmbb73uyx2cavfxv4rosx5vku6womyq._file
Verdict:
suspicious
Similar samples:
0793547b9e20fcb33a61abf134a8ffad5967d58377fc432f2a1c4d9ce46aa15e
BazaLoader
1f9f8cf325ff2de752478ff0623086019ebd1ffbce1d1c2f60e0b70149279f10
BazaLoader
314449ff757b308d440796441176566d3a6c17522dd75a8b24b70aab80458065
BazaLoader
4ef27aa805d70d310dd56575525553be1baf7a48d4e7327f056ca0a5859c6ff6
BazaLoader
60e3f1aa7f85ea1f92ad1415eb2fd129b790d84954a6537761be3e63338f2de7
BazaLoader
6d8fcc850b8c796be3f6244f1f681332d155486bdd326ad6be78ea7172718db4
BazaLoader
8e4c165eb5f1072f84dfd76fd4966e455eaeb0df3a14d20559253d2ebabf7114
BazaLoader
95347bea5432c09cc216f5db771b956eb78a43139789036af9446139967b1c7f
BazaLoader
b09d01a58a549aa6bb7c82061bf8e53985917794ad6a4d52ae62f05239964b59
BazaLoader
e6ecad8148c06e8e0fa14f1e3c9026703891b291c25180fe4936260c967d1c15
BazaLoader
+ 37 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/211029-j2q7jshfdr/
Behaviour
Runs ping.exe
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331
MD5 hash:
cd3e23cddeb92b7397eaf960da34c237
SHA1 hash:
7be37d84635e448781d82fb3225d1537e4a71f52
Link:
https://www.unpac.me/results/f7ad4f07-982e-4a1a-9c39-4f81bdd31f43/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.30
Link:
https://yomi.yoroi.company/submissions/b2a4b60dd0c7e9dfa6d88e9badad810ff74c5f42054b7af22e95fb5553d67331

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments