MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
SHA3-384 hash: fe315620b1ee4b44f6d0b2ce5903f6d234a118455821e2b94ce6e8861520dd430309d46befe1872e629aade21166245d
SHA1 hash: 7430790280be7ff55a12fa660cb01bb7836af55e
MD5 hash: 066508c236e0d94c3fa829eb6d5df0bd
humanhash: georgia-red-cardinal-fanta
File name:cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
Download: download sample
Signature BazaLoader
Create hunting rule
File size:581'632 bytes
First seen:2021-06-29 22:18:08 UTC
Last seen:2021-06-29 22:43:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7ed9e91942b3bbd0a1d4ae95968576a2 (1 x BazaLoader)
ssdeep 12288:qGC2YqxYFbU6eIJRXMjFVINweOiXMWBeJb36cb0vsT7cOYzI:q12raU6eIJRXMjFVZeOiXMWc1zY
Threatray 28 similar samples on MalwareBazaar
TLSH 4FC49E56F6A045B0E0BBE17AC9A34B8AEA713894873197CB4354971A3F337E19D3D720
Reporter Anonymous
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
Verdict:
No threats detected
Analysis date:
2021-06-29 22:22:08 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/56609faa-5207-4eff-a4da-66c00b0d77f7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/168851/
Detection(s):
SecuriteInfo.com..20018.14169.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9c24e531-a727-4c1a-b79e-e512d0f281e1
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/809707
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 442118 Sample: mTTBWOAhgo Startdate: 30/06/2021 Architecture: WINDOWS Score: 84 29 Yara detected Bazar Loader 2->29 31 Sigma detected: CobaltStrike Load by Rundll32 2->31 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 15 8->10         started        14 rundll32.exe 14 8->14         started        16 cmd.exe 1 8->16         started        dnsIp5 27 45.148.120.77, 443, 49721, 49724 SKB-ENTERPRISENL Netherlands 10->27 41 Writes to foreign memory regions 10->41 43 Allocates memory in foreign processes 10->43 45 Modifies the context of a thread in another process (thread injection) 10->45 18 lsass.exe 10->18         started        47 System process connects to network (likely due to code injection or exploit) 14->47 49 Sample uses process hollowing technique 14->49 51 Injects a PE file into a foreign processes 14->51 20 lsass.exe 14->20         started        22 rundll32.exe 14 16->22         started        signatures6 process7 signatures8 33 Allocates memory in foreign processes 22->33 35 Modifies the context of a thread in another process (thread injection) 22->35 37 Sample uses process hollowing technique 22->37 39 Injects a PE file into a foreign processes 22->39 25 lsass.exe 1 22->25         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570/
Verdict:
malicious
Similar samples:
1a82ee0d5a11d5431581aa185cee32ab29103083a65e5ddaffed04809b16137c
BazaLoader
447a0ab1979dfe2b0d3ebd7082dec8ad9fba6c8a34bef39217fa4f2c6073c5d8
BazaLoader
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazaLoader
6c6939f72d85a8d97f4aa81c53d02dccca16e6deff4a2a3eb017ea374713aace
BazaLoader
b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417
BazaLoader
bd22fdab541d4517cbf4b96b1986cd370ffc2532392a5b1801c819f67099f9da
BazaLoader
c38f9b32dc3e0632662c159f599972a9f800194b10d6486a6cf8de699aa611fc
BazaLoader
dbd56f0dc20aec5289e993087b32a9485ccea4ae9796c58c008eb946d7646a94
BazaLoader
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazaLoader
f25aca08079e42ada9ce9fbd59639686c7e87be6979943b8a8a555bedbe1a7cf
BazaLoader
+ 18 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210629-f72wjfe44e/
Behaviour
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Unpacked files
SH256 hash:
cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
MD5 hash:
066508c236e0d94c3fa829eb6d5df0bd
SHA1 hash:
7430790280be7ff55a12fa660cb01bb7836af55e
Link:
https://www.unpac.me/results/74d49f5f-c3c4-4627-b43f-01c9087eb4d5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/168851/

Comments