MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
SHA3-384 hash: dc58336de91555b84224d7ad4bcaa0f881bee688627a45affec0b6f421304ba59b84a243ef94aa666056c4482dcdf967
SHA1 hash: 48d8ff863d43bde2614ae387841135d1b33e66da
MD5 hash: 730ca73a23dd70b2edf3712e4d03db1c
humanhash: july-east-florida-victor
File name:1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'191'424 bytes
First seen:2021-10-13 09:41:28 UTC
Last seen:2021-10-13 11:24:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f1f156271da624d9896a0e778797f0dd (1 x BazaLoader)
ssdeep 24576:4Am1pTsWeU8tV+VwKYs1tRS+7SPFL3EOGTWqG5QVEzAJ24GOy2ipi8z71aaDpZBG:4AmbTsWeU8tV+VwKYs1tRX7SPFL3EOGQ
Threatray 43 similar samples on MalwareBazaar
TLSH T18345D7E5EE2291D0F4BBE070C5917617B8603C6953398BC74240672B2B63BD4DA7E78B
Reporter ffforward
Tags:BazaLoader BazarISO BazarLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
222
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.dll
Verdict:
No threats detected
Analysis date:
2021-10-13 09:44:13 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4bba8492-2f8e-41c0-8463-bd8a4bece1b2

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197161/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37776865.14510.20569.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware monero
Link:
https://www.filescan.io/uploads/6166a9effd35fe780c3ce1ef/reports/28bbb62f-183b-457b-8e1d-e970fb08218b/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/86934e08-0c34-4622-adf2-1e4a3b6af201
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/869494
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 501922 Sample: 1.dll Startdate: 13/10/2021 Architecture: WINDOWS Score: 80 36 Multi AV Scanner detection for submitted file 2->36 38 Detected Bazar Loader 2->38 7 loaddll64.exe 1 2->7         started        process3 process4 9 rundll32.exe 13 7->9         started        13 cmd.exe 1 7->13         started        15 rundll32.exe 7->15         started        17 6 other processes 7->17 dnsIp5 32 164.90.229.209, 443, 49753 DIGITALOCEAN-ASNUS United States 9->32 34 192.168.2.1 unknown unknown 9->34 40 System process connects to network (likely due to code injection or exploit) 9->40 42 Writes to foreign memory regions 9->42 44 Allocates memory in foreign processes 9->44 46 2 other signatures 9->46 19 chrome.exe 13 9->19         started        22 rundll32.exe 13->22         started        24 WerFault.exe 20 9 15->24         started        26 WerFault.exe 9 17->26         started        28 WerFault.exe 9 17->28         started        signatures6 process7 dnsIp8 30 167.99.242.155, 443, 49843, 49845 DIGITALOCEAN-ASNUS United States 19->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b/
Threat name:
Win64.Trojan.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 13:14:19 UTC
AV detection:
6 of 28 (21.43%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1
BazaLoader
0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382
BazaLoader
1298c6133f76de5491828ab2eac13325c21249a1329c971f6b60e7ed85827280
BazaLoader
1d08bcc9e5ed8f7bbc161f81790198f8100e9a34952ccf4227f2625c6a15f445
BazaLoader
8542e790264aead4545ac9debccff734d9dbe33993c5a419361befb87ea4a79a
BazaLoader
8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
BazaLoader
c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045
BazaLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211013-lpc59sdhe8/
Behaviour
Blocklisted process makes network request
Tries to connect to .bazar domain
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
MD5 hash:
730ca73a23dd70b2edf3712e4d03db1c
SHA1 hash:
48d8ff863d43bde2614ae387841135d1b33e66da
Link:
https://www.unpac.me/results/f8d16c08-ff0e-40db-a859-7f0f20819e14/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule
Rule name:ClamAV_Emotet_String_Aggregate
Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197161/

Comments