MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
SHA3-384 hash: 96809bfd159597623b999530bba41a3d63344230de32f1f46ba8e99d9f674a278212cfa48c8ba167159153af366ddb53
SHA1 hash: 8ef2193049b4f6b504b5c1b0e03804ac4546e52a
MD5 hash: d2c5f4974e319d04471b2423ea993e5d
humanhash: wolfram-carpet-double-montana
File name:date5
Download: download sample
Signature BazaLoader
Create hunting rule
File size:284'816 bytes
First seen:2021-09-10 19:32:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bca3ee8a0e3f7bb5fa6ef50a7287a698 (5 x BazaLoader)
ssdeep 3072:BaACsfDoGKOKRj6Yi7NUXn6cN5Va6CrLpnL/1PiLfYLebfU/tSXBXek78:BaAn8FRj6Yi7N66iuMfYefUVSXRZ78
Threatray 8 similar samples on MalwareBazaar
TLSH T17054BF7F90640196FFD68CBCCE4077D7E8A6BAA74F28F5F31D2891621B21AD6C584213
Reporter malwarelabnet
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
date5
Verdict:
No threats detected
Analysis date:
2021-09-10 19:33:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/84f3931e-5463-4f19-9730-060a88a8804a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186964/
Detection(s):
SecuriteInfo.com.ArtemisD2C5F4974E31.9086.23503.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Launching a process
Sending a UDP request
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/93f06495-a04b-4254-9951-8bdc23d3e8e2
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/849002
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 481433 Sample: date5 Startdate: 10/09/2021 Architecture: WINDOWS Score: 96 49 Detected Bazar Loader 2->49 51 Sigma detected: CobaltStrike Load by Rundll32 2->51 53 Sigma detected: Suspicious Svchost Process 2->53 55 Sigma detected: Regsvr32 Command Line Without DLL 2->55 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 regsvr32.exe 14 7->13         started        17 rundll32.exe 7->17         started        19 iexplore.exe 2 86 7->19         started        21 7 other processes 7->21 dnsIp5 45 167.172.37.9, 443, 49708, 49776 DIGITALOCEAN-ASNUS United States 13->45 61 Writes to foreign memory regions 13->61 63 Allocates memory in foreign processes 13->63 65 Modifies the context of a thread in another process (thread injection) 13->65 67 Injects a PE file into a foreign processes 13->67 23 svchost.exe 13->23         started        69 System process connects to network (likely due to code injection or exploit) 17->69 71 Sets debug register (to hijack the execution of another thread) 17->71 73 Sample uses process hollowing technique 17->73 27 svchost.exe 17->27         started        47 192.168.2.1 unknown unknown 19->47 29 iexplore.exe 7 144 19->29         started        31 rundll32.exe 21->31         started        signatures6 process7 dnsIp8 33 whitestorm9p.bazar 23->33 35 tonuidem.bazar 23->35 41 21 other IPs or domains 23->41 57 System process connects to network (likely due to code injection or exploit) 23->57 59 Detected Bazar Loader 23->59 37 dart.l.doubleclick.net 172.217.19.102, 443, 49760, 49761 GOOGLEUS United States 29->37 39 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49768, 49769 FASTLYUS United States 29->39 43 12 other IPs or domains 29->43 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-09-10 19:32:15 UTC
AV detection:
13 of 45 (28.89%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
af98c1743907c9a1429a6f01446bab875cbd273935b4ecfcd1f1b4db430a8ece
BazaLoader
b3783552bf95bc8b30a28c8d590a5081193fd6a690403dfb400c240237c8c956
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210910-x8yf4aaee9/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
MD5 hash:
d2c5f4974e319d04471b2423ea993e5d
SHA1 hash:
8ef2193049b4f6b504b5c1b0e03804ac4546e52a
Link:
https://www.unpac.me/results/e1939cd3-e8eb-46a5-9c5d-92c586ce5e5e/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/bc0a0ea0c006/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186964/

Comments