MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045
SHA3-384 hash: 6eaaed7485ba3423003026eecd7e9a6d8f8a2de5c7888406c977fb4d9d3fc52ea99ebd8e19dff9f64146692eb78a2d8c
SHA1 hash: f698273b92b71ea403384ff808651ee2844ed544
MD5 hash: d388f6eb0068ac134be103b27d469d21
humanhash: india-nineteen-speaker-two
File name:d388f6eb0068ac134be103b27d469d21.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'436'169 bytes
First seen:2021-09-28 06:26:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 126feacb5b6732ad1a4ed77f47cf4f6d (8 x BazaLoader)
ssdeep 24576:TqSPG9Jg6TYbmGBtf9efojVpVwKYs1tRCS7SPFL3EOGTWqG5QVEzAJ24GOy2ioLV:TyWbmGBtf9efojVpVwKYs1tR/7SPFL3K
Threatray 14 similar samples on MalwareBazaar
TLSH T1E465D696EE6351E0F4B7E23586A67627B9713D148334C78783005B171B62FF099BE38A
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
121
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
d388f6eb0068ac134be103b27d469d21.dll
Verdict:
No threats detected
Analysis date:
2021-09-28 06:42:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea16cc8e-cb6e-466b-bf76-163cc4258a87

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Bazar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192384/
Detection(s):
SecuriteInfo.com.Win64.BazarLoader.AS.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d7da75e6-048b-4f4a-9ad2-7f1ebbafc21d
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/859609
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 492041 Sample: bT2842KdOz.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 92 34 edanekyw.bazar 2->34 54 Detected Bazar Loader 2->54 56 Sigma detected: CobaltStrike Load by Rundll32 2->56 58 Sigma detected: Suspicious Svchost Process 2->58 60 Sigma detected: Regsvr32 Command Line Without DLL 2->60 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        12 rundll32.exe 2->12         started        signatures3 process4 process5 14 regsvr32.exe 14 8->14         started        18 rundll32.exe 8->18         started        20 iexplore.exe 1 74 8->20         started        22 9 other processes 8->22 dnsIp6 48 161.35.19.83, 443, 49851, 49863 DIGITALOCEAN-ASNUS United States 14->48 50 192.168.2.1 unknown unknown 14->50 52 2 other IPs or domains 14->52 66 System process connects to network (likely due to code injection or exploit) 14->66 68 Writes to foreign memory regions 14->68 70 Allocates memory in foreign processes 14->70 24 svchost.exe 14->24         started        72 Modifies the context of a thread in another process (thread injection) 18->72 74 Sample uses process hollowing technique 18->74 76 Injects a PE file into a foreign processes 18->76 28 svchost.exe 18->28         started        30 iexplore.exe 152 20->30         started        32 rundll32.exe 22->32         started        signatures7 process8 dnsIp9 36 api.opennic.org 116.203.98.109, 443, 49913 HETZNER-ASDE Germany 24->36 38 159.65.127.51, 443, 49985, 49988 DIGITALOCEAN-ASNUS United States 24->38 44 17 other IPs or domains 24->44 62 System process connects to network (likely due to code injection or exploit) 24->62 64 Detected Bazar Loader 24->64 40 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49820, 49821 FASTLYUS United States 30->40 42 geolocation.onetrust.com 104.20.184.68, 443, 49780, 49781 CLOUDFLARENETUS United States 30->42 46 9 other IPs or domains 30->46 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045/
Threat name:
Win64.Trojan.Sdum
Create hunting rule
Status:
Malicious
First seen:
2021-09-28 06:27:09 UTC
AV detection:
3 of 44 (6.82%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
01563f8120225436d86eb915c4ccdf97a78fda65c4b3fa613a30e3faf0f35840
BazaLoader
0ade5a6d2fbbec04e69053d50ca34587f413fd28ddd8ccec490b3d0196db135e
BazaLoader
0f8c4123a1849e5b877422d80ce94199cc3be7cb77801fd0ba944fe595ffc382
BazaLoader
1d08bcc9e5ed8f7bbc161f81790198f8100e9a34952ccf4227f2625c6a15f445
BazaLoader
323fb5f9e95ef64d5798c6f6948d1dca562232a8918a0c7e7d966d573d5c1918
BazaLoader
8542e790264aead4545ac9debccff734d9dbe33993c5a419361befb87ea4a79a
BazaLoader
8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99
BazaLoader
+ 4 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210928-g7rzxsagh9/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045
MD5 hash:
d388f6eb0068ac134be103b27d469d21
SHA1 hash:
f698273b92b71ea403384ff808651ee2844ed544
Link:
https://www.unpac.me/results/4c6be71c-b8d4-4dfd-b12c-17bd8be5b1d0/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/c1ff5e402a81/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe c1ff5e402a811df59ac3ab7e16ac68c25b47f5ea7c6930f7799c72389ef06045

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192384/

Comments