MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58
SHA3-384 hash:	a70a447f84b00b7be04984de60779755d221cdd11b19e7181630fb3763ef542a430fdf2479e8e188b27e1d8e03cf16bd
SHA1 hash:	f1df8058f43e78e092887b417b30c62f74258e26
MD5 hash:	68e2c3bc6a3ef492e0094afaaf96fd50
humanhash:	one-failed-batman-alaska
File name:	dl2_trivial.exe
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	101'048 bytes
First seen:	2020-09-28 07:32:37 UTC
Last seen:	2020-09-28 09:41:02 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	11ba04728e279a70c8fc15175c924733 (1 x BazaLoader)
ssdeep	1536:V54ixJOVaWHwV6O7KI9mukArjeRPCd/IXqmPsWlHkgdc9dlTgy81p:V5pJOV1FO7F9mu/rjeRgIam8KU9gt
Threatray	100 similar samples on MalwareBazaar
TLSH	F3A36C47B3E430EDE0328678C9614A29E772F8391621DFAF176042561F2BAD19D3EF61
Reporter	JAMESWT_WT
Tags:	BazaLoader Retalit LLC signed

Code Signing Certificate

Organisation:	DigiCert High Assurance EV Root CA
Issuer:	DigiCert High Assurance EV Root CA
Algorithm:	sha1WithRSAEncryption
Valid from:	Nov 10 00:00:00 2006 GMT
Valid to:	Nov 10 00:00:00 2031 GMT
Serial number:	02AC5C266A0B409B8F0B79F2AE462577
Intelligence:	204 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:	SHA256
Thumbprint:	7431E5F4C3C1CE4690774F0B61E05440883BA9A01ED00BA6ABD7806ED3B118CF
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

3

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/66347/

Detection(s):

SecuriteInfo.com.Trojan.DownLoader34.53796.9717.32061.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Sending a UDP request

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/476243

Signature

Allocates memory in foreign processes

Antivirus / Scanner detection for submitted sample

Contains functionality to inject code into remote processes

Hijacks the control flow in another process

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58/

Threat name:

Win64.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-26 01:54:06 UTC

File Type:

PE+ (Exe)

Extracted files:

1

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x3bavsfbgsqs45o2fqer4d7sfcrnemfsjgezdmlitzvujw4uzvma._file

Verdict:

unknown

Similar samples:

0a5606b7020f9126ad52a987d62bd5fc37047ab447976ffbf34a2e94719a4f1c

1582d076196f0650d039eafc189042cdd33d512ac09ce5cf08e733ab950a5aee

38e2a81ba89534d8affdbf5c0af01eee821afba968d02ca2cd855a6209c86caa

75897aec122b3003c82487031570723bf6ba8dbb20dad42812af93de542b55e2

7dd760acef6e4e8852e91cec3c0b1ea1e4a8dc5f7ae43737f0d05714c0f9e1ba

a4cc8f3c31394e314343d0f40c5b9a81f0fa3ac39399f4bafc9666821bc3317d

a69eb7cefaf118370fad6792bab70e7aad3ea56458eb3b0ff8fb6c66a2b7e9ea

aa1be103378c35cac611142349b9d6d81eced0713cd7cba343fa93648494102e

e527dc82a2d660e859061438626809fb3732320796a7c6bbd96ad902a032a908

feab7122b7c76c3dc364fccb4e1a471d7e21b0a7322083b0dbe6f074e4a70b72

+ 90 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor

Link:

https://tria.ge/reports/200928-mec85gs4e6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blacklisted process makes network request

BazarBackdoor

Unpacked files

SH256 hash:

bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58

MD5 hash:

68e2c3bc6a3ef492e0094afaaf96fd50

SHA1 hash:

f1df8058f43e78e092887b417b30c62f74258e26

Link:

https://www.unpac.me/results/88d9cde7-f583-4056-9f6e-3e2e404a84cc/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/bec20ac8a134a12e75da2c091e0ff228a2d230b2498991b1689e6b44db94cd58

File information

The table below shows additional information about this malware sample such as delivery method and external references.

X

https://twitter.com/malwrhunterteam/status/1309942314110980096?s=20

Cape

Cape

https://www.capesandbox.com/analysis/66347/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample