MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
SHA3-384 hash: ffc962bbc762ef37cd6eab02c2a3d8c4fe093583e526b427fb5854e5c809f0c70b30904a3582f27b0bbd1031766abcbe
SHA1 hash: 0fccdee72e8da2aeb4bc5de305bc313a5878f939
MD5 hash: 85024abbb2c097a36732d3393785dcba
humanhash: early-salami-pluto-william
File name:triage_dropped_file
Download: download sample
Signature BazaLoader
Create hunting rule
File size:476'287 bytes
First seen:2021-08-26 14:35:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 35890417b8426ce9add593489cc763e0 (5 x BazaLoader)
ssdeep 6144:MH9wwMZWjYVYbxiLlxrifcqhLxSOldE8zUH5h+pR5296Sm3iG0hjwR45Mw/Yogcq:okFdK2aUpSFCp0LcjzCemnkH2
Threatray 43 similar samples on MalwareBazaar
TLSH T188A4AD4ACCC5E787FD65883DECD862A6C5536B3C4E7EEAF768E4A03075240B98857113
Reporter malwarelabnet
Tags:BazaLoader BazarBackdoor exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
245
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
triage_dropped_file
Verdict:
No threats detected
Analysis date:
2021-08-26 14:38:38 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f476df81-88ae-43a5-9cb1-d853145aba17

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/182692/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Sending a custom TCP request
Launching a process
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/60fc7536-5dac-463c-b436-e6b40bf945e5
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/839851
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 472278 Sample: triage_dropped_file Startdate: 26/08/2021 Architecture: WINDOWS Score: 100 55 Detected Bazar Loader 2->55 57 Sigma detected: CobaltStrike Load by Rundll32 2->57 59 Sigma detected: Dridex Process Pattern 2->59 61 2 other signatures 2->61 9 loaddll64.exe 1 2->9         started        11 rundll32.exe 2->11         started        process3 process4 13 regsvr32.exe 14 9->13         started        17 iexplore.exe 1 75 9->17         started        19 cmd.exe 1 9->19         started        21 5 other processes 9->21 dnsIp5 53 94.140.112.22, 443, 49746 TELEMACHBroadbandAccessCarrierServicesSI Latvia 13->53 71 System process connects to network (likely due to code injection or exploit) 13->71 73 Contains functionality to inject code into remote processes 13->73 75 Sets debug register (to hijack the execution of another thread) 13->75 77 5 other signatures 13->77 23 svchost.exe 13->23         started        27 iexplore.exe 152 17->27         started        29 rundll32.exe 19->29         started        signatures6 process7 dnsIp8 43 myexternalip.com 34.117.59.81, 443, 49763 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 23->43 45 172.83.155.231, 443, 49758, 49759 CNSERVERSUS United States 23->45 63 System process connects to network (likely due to code injection or exploit) 23->63 65 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 23->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 23->67 69 Performs a network lookup / discovery via net view 23->69 31 net.exe 23->31         started        33 net.exe 23->33         started        35 nltest.exe 23->35         started        47 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49728, 49729 YAHOO-DEBDE United Kingdom 27->47 49 geolocation.onetrust.com 104.20.184.68, 443, 49714, 49715 CLOUDFLARENETUS United States 27->49 51 9 other IPs or domains 27->51 signatures9 process10 process11 37 conhost.exe 31->37         started        39 conhost.exe 33->39         started        41 conhost.exe 35->41         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b/
Threat name:
Win64.Trojan.BazarLoader
Create hunting rule
Status:
Malicious
First seen:
2021-08-26 14:36:30 UTC
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=zqt4pqkzofqzfmzsk63zihxsuynptgfdtqw2i7a4l7eimolrxmfq._file
Verdict:
suspicious
Similar samples:
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
BazaLoader
a514f0ca924692ce32d35da9aab7b0ca806b8ae1542c24b42b5438f10925e9eb
BazaLoader
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
BazaLoader
d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434
BazaLoader
+ 33 additional samples on MalwareBazaar
Result
Malware family:
bazarbackdoor
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor backdoor
Link:
https://tria.ge/reports/210826-bjfng78xae/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Backdoor payload
BazarBackdoor
Unpacked files
SH256 hash:
cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b
MD5 hash:
85024abbb2c097a36732d3393785dcba
SHA1 hash:
0fccdee72e8da2aeb4bc5de305bc313a5878f939
Link:
https://www.unpac.me/results/af2e4a55-9b8e-4da9-9bf3-067962e84898/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/cc27c7c15971/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/cc27c7c159716192b33257b7941ef2a61af998a39c2da47c1c5fc8863971bb0b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/182692/

Comments