MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff
SHA3-384 hash: a34546df5079a1e529cccf064031e525b561001975740834e72086f91b3129c11e78d4b59e15abeb8e281eadfcb7be0d
SHA1 hash: ef913fbd9ec848b59941bc8cce6e0a357d850b2d
MD5 hash: 4925a10905e4df9d65e87afed2d77c45
humanhash: harry-oven-charlie-september
File name:4925a10905e4df9d65e87afed2d77c45
Download: download sample
Signature BazaLoader
Create hunting rule
File size:813'568 bytes
First seen:2022-01-20 12:54:18 UTC
Last seen:2022-01-20 14:51:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0fa94d0596d4a5a9d544927617ad10dc (1 x BazaLoader)
ssdeep 12288:hMKk6ZKaLa6pxm7aOO4mKkP8UurFpRlG/34facNQB6+tiEMGZOnEP:hMA26pKaOyKFUurF3kQCcNyX
Threatray 434 similar samples on MalwareBazaar
TLSH T170056D1AB7B840B6C06AC536C6538E5AF7B2B8514B3083CB4261A75F1F377E15B3A325
File icon (PE):PE icon
dhash icon 79756cecb29999b9 (734 x Heodo, 20 x Nitol, 20 x ManusCrypt)
Reporter zbetcheckin
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
212
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
invoice.doc
Verdict:
Suspicious activity
Analysis date:
2022-01-19 22:18:43 UTC
Tags:
installer
Link:
https://app.any.run/tasks/47182ff9-f94e-4660-82a6-d1b889c25a76

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/221090/
Detection(s):
SecuriteInfo.com.generic.ml.10618.16232.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
DNS request
Sending a custom TCP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/4927/overview
Behaviour
MalwareBazaar
MeasuringTime
SystemUptime
EvasionQueryPerformanceCounter
EvasionGetTickCount
CheckCmdLine
Verdict:
Likely Malicious
Threat level:
  7.5/10
Confidence:
100%
Tags:
greyware keylogger packed print.exe
Link:
https://www.filescan.io/uploads/61e95baed32385db630eda3d/reports/2001b17d-31d4-42f8-a3bf-ddef583b4e39/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b57cbedf-a77d-4005-a1ef-e8b8c825f468
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/924341
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: UNC2452 Process Creation Patterns
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 556815 Sample: ZKKu75MVQj Startdate: 20/01/2022 Architecture: WINDOWS Score: 88 125 Multi AV Scanner detection for submitted file 2->125 127 Sigma detected: UNC2452 Process Creation Patterns 2->127 129 Sigma detected: Suspicious Call by Ordinal 2->129 13 loaddll64.exe 1 2->13         started        15 rundll32.exe 2->15         started        17 rundll32.exe 2->17         started        process3 process4 19 rundll32.exe 13->19         started        21 rundll32.exe 13->21         started        23 cmd.exe 1 13->23         started        26 rundll32.exe 13->26         started        signatures5 28 cmd.exe 1 19->28         started        30 cmd.exe 1 21->30         started        139 Uses ping.exe to sleep 23->139 141 Uses cmd line tools excessively to alter registry or file data 23->141 143 Uses ping.exe to check the status of other devices and networks 23->143 32 rundll32.exe 23->32         started        34 conhost.exe 23->34         started        process6 process7 36 rundll32.exe 28->36         started        38 conhost.exe 28->38         started        41 timeout.exe 1 28->41         started        43 rundll32.exe 30->43         started        45 conhost.exe 30->45         started        47 timeout.exe 1 30->47         started        signatures8 49 cmd.exe 1 36->49         started        51 cmd.exe 1 36->51         started        137 Uses cmd line tools excessively to alter registry or file data 38->137 54 conhost.exe 38->54         started        56 reg.exe 38->56         started        58 cmd.exe 1 43->58         started        60 cmd.exe 1 43->60         started        process9 signatures10 62 rundll32.exe 49->62         started        65 conhost.exe 49->65         started        67 choice.exe 1 49->67         started        131 Uses cmd line tools excessively to alter registry or file data 51->131 69 reg.exe 1 1 51->69         started        71 conhost.exe 51->71         started        133 Uses ping.exe to sleep 58->133 73 PING.EXE 1 58->73         started        80 2 other processes 58->80 76 conhost.exe 60->76         started        78 reg.exe 1 60->78         started        process11 dnsIp12 147 Writes to foreign memory regions 62->147 149 Modifies the context of a thread in another process (thread injection) 62->149 151 Injects a PE file into a foreign processes 62->151 82 chrome.exe 62->82         started        85 cmd.exe 62->85         started        88 cmd.exe 62->88         started        153 Creates an autostart registry key pointing to binary in C:\Windows 69->153 123 192.0.2.132 unknown Reserved 73->123 signatures13 process14 dnsIp15 121 144.217.50.242, 443, 49826 OVHFR Canada 82->121 90 cmd.exe 82->90         started        93 cmd.exe 82->93         started        95 cmd.exe 82->95         started        105 2 other processes 82->105 135 Uses cmd line tools excessively to alter registry or file data 85->135 97 conhost.exe 85->97         started        99 reg.exe 85->99         started        107 2 other processes 85->107 101 conhost.exe 88->101         started        103 reg.exe 88->103         started        signatures16 process17 signatures18 145 Uses cmd line tools excessively to alter registry or file data 90->145 109 conhost.exe 90->109         started        111 reg.exe 90->111         started        113 conhost.exe 93->113         started        115 reg.exe 93->115         started        117 conhost.exe 95->117         started        119 reg.exe 95->119         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff/
Threat name:
Win64.Trojan.Bazarloader
Create hunting rule
Status:
Malicious
First seen:
2022-01-19 20:18:42 UTC
File Type:
PE+ (Dll)
Extracted files:
63
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytxbyaogtl4mtb67yx3xscz4rushjlq74f3r2tzp56lsbvkp2p7q._file
Verdict:
malicious
Similar samples:
0b7eafb0e73e2bf0e0c6263824ffacbf4869f9121502264e5dc08d09183ae301
BazaLoader
1c620f5c3a65d09cd30671a6ea697b47247f9df687ce9ff748ffb7dab9e92dd4
BazaLoader
595ee523a6223553a7269daf41e5b95ab1e666fdf0ab5c3ac0c5bc97efd6adbd
BazaLoader
879e1d5a103b042c620b2c216a6ac707fdafb7e52c54f4a317107b4130158320
BazaLoader
936426ce7210fbd0ce519fb4121289fc1c43247fa96a7d1cd96d276f1662df26
BazaLoader
d4032fbbc8d1d4d11c98b1b85801a5b5ce36042ef09b0f3118e7770827f160d8
BazaLoader
e96721c0194fef754b28344960a41649914e1eaf6a43588e9d9018104b80ecea
BazaLoader
ee9a8a1a2081e841af1c0895e2cae936cb38231af59426d54c68d6a2357ac236
BazaLoader
f9bd3a815beaf9e995e521edd22d17a06e5e1c4b1c2fdfa39f3837983716a70c
BazaLoader
+ 424 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/220120-p5sgnsaag2/
Behaviour
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Sets service image path in registry
Unpacked files
SH256 hash:
c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff
MD5 hash:
4925a10905e4df9d65e87afed2d77c45
SHA1 hash:
ef913fbd9ec848b59941bc8cce6e0a357d850b2d
Link:
https://www.unpac.me/results/6e1a1e3b-6248-4f6e-bbcb-cd009c7c0344/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe c4ee1c01c69af8c987dfc5f7790b3c8d2474ae1fe1771d4f2fef9720d54fd3ff

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/221090/
  
URLhaus
https://urlhaus.abuse.ch/url/1989582/
  
URLhaus
https://urlhaus.abuse.ch/url/1992529/

Comments


Avatar
zbet commented on 2022-01-20 12:54:19 UTC

url : hxxp://ccmasheville.com/image.png