MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434
SHA3-384 hash: 7f875aceb69785f4349813125b379fcf56cf30a4858794f44aad671e3fe55801cb3b120234e06f3daa0114a46143d8bc
SHA1 hash: f10621be9bfee0152931f7790c2cbff022611f62
MD5 hash: 7c64ea7c4a229414b6048d18ab0836fd
humanhash: colorado-cola-speaker-dakota
File name:stage1.bin
Download: download sample
Signature BazaLoader
Create hunting rule
File size:116'224 bytes
First seen:2021-07-30 21:47:16 UTC
Last seen:2021-07-30 22:40:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 2394b7a9184ee0a0dd541a06dbc4d8c5 (1 x BazaLoader)
ssdeep 1536:n1ahc4Sg6qtbxmmeBAxMlkZP2EBG53NQGzcrUbqxBtk13S8s:n1aO4V6IMJ36eEBiqtgbqidS
Threatray 49 similar samples on MalwareBazaar
TLSH T1D9B3F760D216C0B8C58CD0B7F194AA72EC483870A3C6F7DB968621E916D0DD7747FADA
Reporter johannes
Tags:BazaLoader BazarLoader exe


Avatar
viql
The unpacked version of 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74

Intelligence

File Origin
# of uploads :
2
# of downloads :
595
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
stage1.bin
Verdict:
No threats detected
Analysis date:
2021-07-30 22:00:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8a3f9ccb-68a1-4ad8-9fd2-c325b7d37d8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/175373/
Detection(s):
SecuriteInfo.com.Variant.Razy.891147.25729.727.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Generic Malware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/c458ec08-2cfb-4d18-bcdf-043d3697e266
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/824721
Signature
Multi AV Scanner detection for submitted file
Sigma detected: CobaltStrike Load by Rundll32
System process connects to network (likely due to code injection or exploit)
Tries to resolve many domain names, but no domain seems valid
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457133 Sample: stage1.bin Startdate: 30/07/2021 Architecture: WINDOWS Score: 68 22 yzrekyw.bazar 2->22 24 wa4ekvi.bazar 2->24 26 13 other IPs or domains 2->26 34 Multi AV Scanner detection for submitted file 2->34 36 Sigma detected: CobaltStrike Load by Rundll32 2->36 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        signatures3 38 Tries to resolve many domain names, but no domain seems valid 24->38 process4 process5 12 rundll32.exe 15 8->12         started        16 cmd.exe 1 8->16         started        18 rundll32.exe 8->18         started        dnsIp6 28 yzygom.bazar 12->28 30 yzwyyw.bazar 12->30 32 287 other IPs or domains 12->32 40 System process connects to network (likely due to code injection or exploit) 12->40 20 rundll32.exe 16->20         started        signatures7 42 Tries to resolve many domain names, but no domain seems valid 30->42 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434/
Threat name:
Win64.Backdoor.Bazdor
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 21:48:04 UTC
AV detection:
7 of 46 (15.22%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2fo37n7pauivk2rve7gjrueriwswgav52gngba7onuahv4zveq2a._file
Verdict:
suspicious
Similar samples:
24f692b4ee982a145abf12c5c99079cfbc39e40bd64a3c07defaf36c7f75c7a9
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
986d22f03f04424181bc773a42db6283722baffe40b031d97c9562ab0ed8a6ae
BazaLoader
a701108be3d3802eba7c79c5c68afc0fee833595cdada8df5ac02ef9b97d2ad1
BazaLoader
e04c5bfeda44a81b6c820bf89515ab98bce767728c34919bed27a2767926a514
BazaLoader
+ 39 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader
Link:
https://tria.ge/reports/210730-phjcybrda2/
Behaviour
Blocklisted process makes network request
Unpacked files
SH256 hash:
d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434
MD5 hash:
7c64ea7c4a229414b6048d18ab0836fd
SHA1 hash:
f10621be9bfee0152931f7790c2cbff022611f62
Link:
https://www.unpac.me/results/4fa8ee4f-b1eb-47de-a2c2-27d863086598/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.14
Link:
https://yomi.yoroi.company/submissions/d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BazaLoader

Executable exe 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74

BazaLoader

Executable exe d15dbfb7ef0511556a3527cc98d09145a56302bdd19a6083ee6d007af3352434

(this sample)

  
Dropped by
SHA256 86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
Cape
Cape
https://www.capesandbox.com/analysis/175373/

Comments