MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b
SHA3-384 hash: 0ec61778e3d3fc9346750790f37f34e47e3be61b49a72ee5f7d08d2d2b2dffcc79755b93cffaedb90f08a03f36b19b54
SHA1 hash: 2224403a67ef396718f3087c47521c8075d0f687
MD5 hash: 4e0da1ea4579f0bed86d480ab65a2010
humanhash: lemon-may-ohio-kentucky
File name:PreviewDoc.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:518'200 bytes
First seen:2020-12-10 17:38:33 UTC
Last seen:2020-12-10 19:35:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash db60e0959cfe3991b2f6c66c24b00482 (3 x BazaLoader, 1 x TrickBot)
ssdeep 12288:pFuyRwvM4zWfGrRXEC0WkoC4GOk7y5khz8Fim6pjT:pNf6RUC0joC4lJim0T
Threatray 163 similar samples on MalwareBazaar
TLSH 34B439C3F054349CF8DF827BB9DA4E25B2E27C5209422A0161753F99BF325925FC8A6D
Reporter ffforward
Tags:baza BazaLoader bazar BazarLoader kegtap OOO Inversum signed

Code Signing Certificate

Organisation:Certum Extended Validation Code Signing CA SHA2
Issuer:Certum Trusted Network CA
Algorithm:sha256WithRSAEncryption
Valid from:Oct 29 11:55:39 2015 GMT
Valid to:Jan 19 11:55:39 2027 GMT
Serial number: 4E96C1BA06258A0C2ABA27625E9064D3
Intelligence: 23 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: 176AAE8BDD5DD06A7DBD42862DC173BD838FFE3013103B097B9671C37BA6AE14
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
278
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PreviewDoc.exe
Verdict:
No threats detected
Analysis date:
2020-12-10 17:50:31 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/1d9180d2-a914-4548-91fa-78d8160723db

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107667/
Detection(s):
SecuriteInfo.com.Generic.mg.4e0da1ea4579f0be.30486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=xtvjtmpmn6ss73dalcmhrrcrezxsmculjywyzboxacz5etqnzzfq._file
Verdict:
malicious
Similar samples:
041edc38190df416f98058aabd53019c2e214e539f943af654fa2c486444ff24
BazaLoader
0fb8a792dd48796bac2d508c1928aa539ced639ea99a5e2c9d6e2be5a7e82d43
BazaLoader
177b312a0c7c2d03be3b2916505fb3e9fdefe785330c74ac29e89cb22656367e
BazaLoader
48d410b2235a7f33a79795ee4cc677da47cee5a12645086d38c89d4c88aa2ebf
BazaLoader
7a530c59844e1fbc71d5c86514e315afdb4748d0833e4fead19e1195ebfeab32
BazaLoader
95fece80757ca0144d29f2015a0eba750195182f45002a5bc734f1824c18e2c4
BazaLoader
a28cead812579eacf8d58be5b5ee55adc18409499108d4f5cc98acbf92c87531
BazaLoader
b5f8f3ecbf1f2276024ac2590a3ab257e9aacd9a773b6cb44af57776a8a1fc1e
BazaLoader
cae79d8ceb527eb8367b1df9e916718e4329d2768ed0b7e61f7c406af9d21f31
BazaLoader
e87a3aade32a0e9b09eede42d6e59ee32646adb37da99f8ae730f35582f65dc2
BazaLoader
+ 153 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201210-y8eh5tnflx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b
MD5 hash:
4e0da1ea4579f0bed86d480ab65a2010
SHA1 hash:
2224403a67ef396718f3087c47521c8075d0f687
Link:
https://www.unpac.me/results/dac8c1a3-65f8-4f20-b042-fff9ad0264ba/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Distributed via e-mail link
Cape
Cape
https://www.capesandbox.com/analysis/107667/

Comments