MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131
SHA3-384 hash: 5e7ac1a707f43423331e1c2cb27d42da6a82a5d3ecaa3773475debccdebcd89769de14bbd00812c9ae7f5247347d18b7
SHA1 hash: f22e0840f91b78bf5033a388b3452f72b887477d
MD5 hash: f7602d273950f3c9640aaf2b365f1e76
humanhash: tennessee-gee-lactose-snake
File name:f7602d273950f3c9640aaf2b365f1e76.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:315'392 bytes
First seen:2022-02-01 16:54:49 UTC
Last seen:2022-02-01 19:09:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d4755b9a9aec93c05c955ca11140bdc5 (8 x BazaLoader, 3 x IcedID)
ssdeep 6144:MzySnLRT5vNwEsWtq1qliPs/wWkp30qs7xKZtuAv1x9K:M3LRdZssq1qAPs/wWU0H7x+tH2
Threatray 62 similar samples on MalwareBazaar
TLSH T17564CFBA76541CE7E17F4237CA936C99537236118A56DECE8074A7C30F633A0EE1AD04
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/229261/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.38843181.22280.27416.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Searching for the window
DNS request
Sending a custom TCP request
Result
Malware family:
n/a
Score:
  6/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/5706/overview
Behaviour
MalwareBazaar
MeasuringTime
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware
Link:
https://www.filescan.io/uploads/61f965faa0f6a794b330ebe1/reports/c29d0160-dd5c-4a18-a012-aab02d68b665/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/f40321dd-18d3-4a7d-92d8-2493128cb3b5
Result
Threat name:
BazaLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/931869
Signature
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sigma detected: Suspect Svchost Activity
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected BazaLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2022-02-01 15:51:32 UTC
File Type:
PE+ (Dll)
Extracted files:
1
AV detection:
10 of 28 (35.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z5j3iodpl35qdtmevcvbh4saxa6ocuxitbbdh6r6urapahomaeyq._file
Verdict:
malicious
Similar samples:
3519764cca01b0ae940c0357718f95351a893967008a2392c5e043eaa7bbfde2
BazaLoader
46e596461f8ee1fd4d63bd1a2e7366a938e06f19750cfc90a9609edbce7381a1
BazaLoader
8f373e1671d5073d0760f1480c561f3e29da7a83fc91f6950ee9e7a80e0dfe52
BazaLoader
d077743292e27a294562add0dae83490213912881c34ee083c2e8b32899eda30
BazaLoader
e1a9f6a0f2f0aa7a3bdc04976604fa7169b812ff4976e2f0105992fb8277a52c
BazaLoader
+ 52 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/220201-ve5bfahffp/
Unpacked files
SH256 hash:
cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131
MD5 hash:
f7602d273950f3c9640aaf2b365f1e76
SHA1 hash:
f22e0840f91b78bf5033a388b3452f72b887477d
Link:
https://www.unpac.me/results/a4ea37a4-d886-4b93-b1ee-e39b70c7f338/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SPLCrypt
Create hunting rule
Author:James Quinn, Binary Defense
Description:Identifies SPLCrypt, a new crypter associated with Bazaloader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe cf53b4386f5efb01cd84a8aa13f240b83ce152e8984233fa3ea440f01dcc0131

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/229261/
  
URLhaus
https://urlhaus.abuse.ch/url/2020821/
  
Delivery method
Distributed via web download

Comments