MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38
SHA3-384 hash: 4d17685250af220567bb50b0768673ecbdb244e9c8e57e934434d1df931ac7a1fa243f5ac7e7dff6c42198ebf1c31010
SHA1 hash: 05cbef6bd0992e3532a3c597957f821140b61b94
MD5 hash: 8a528ec7943727678bac5b9f1b74627a
humanhash: mango-illinois-seventeen-fruit
File name:file.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:563'416 bytes
First seen:2021-01-08 18:58:51 UTC
Last seen:2021-01-08 20:28:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 578738b5c4621e1bf95fce0a570a7cfc (1 x BazaLoader)
ssdeep 12288:PClgmGXmoADgHpm+8WNz2GtUCwSIVogzdSvQ8QxWhQrfl4eMCz:PCeRADEpqmz2GJVIPzdSFQohdI
Threatray 79 similar samples on MalwareBazaar
TLSH 70C48E4BFBB440F5D0569135C9728B4AE7B2BCAD4B71838F126857AB2F336919C39321
Reporter James_inthe_box
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file.exe
Verdict:
No threats detected
Analysis date:
2021-01-08 19:00:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c2b1d02d-4ce5-4b0e-a3c5-263fa2ea459e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111072/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45377734.18229.3151.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the Windows subdirectories
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/577078
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 337591 Sample: file.exe Startdate: 08/01/2021 Architecture: WINDOWS Score: 100 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Uses ping.exe to sleep 2->81 83 Uses ping.exe to check the status of other devices and networks 2->83 13 file.exe 2->13         started        15 cmd.exe 1 2->15         started        17 cmd.exe 1 2->17         started        19 2 other processes 2->19 process3 process4 21 cmd.exe 1 13->21         started        24 reg.exe 1 1 15->24         started        26 J8JD800.exe 15->26         started        28 conhost.exe 15->28         started        30 J8JD800.exe 17->30         started        32 conhost.exe 17->32         started        34 reg.exe 1 17->34         started        signatures5 85 Uses ping.exe to sleep 21->85 36 file.exe 1 21->36         started        39 conhost.exe 21->39         started        41 PING.EXE 1 21->41         started        87 Creates multiple autostart registry keys 24->87 process6 file7 69 C:\Users\user\AppData\Local\...\J8JD800.exe, PE32+ 36->69 dropped 43 cmd.exe 1 36->43         started        process8 signatures9 99 Uses ping.exe to sleep 43->99 46 J8JD800.exe 1 43->46         started        49 conhost.exe 43->49         started        51 PING.EXE 1 43->51         started        process10 signatures11 101 Multi AV Scanner detection for dropped file 46->101 103 Creates multiple autostart registry keys 46->103 105 Contains functionality to inject code into remote processes 46->105 53 cmd.exe 1 46->53         started        process12 signatures13 89 Uses ping.exe to sleep 53->89 56 J8JD800.exe 1 53->56         started        60 conhost.exe 53->60         started        62 PING.EXE 1 53->62         started        process14 dnsIp15 73 54.184.178.68, 443, 49742, 49744 AMAZON-02US United States 56->73 75 192.168.2.1 unknown unknown 56->75 91 Writes to foreign memory regions 56->91 93 Allocates memory in foreign processes 56->93 95 Modifies the context of a thread in another process (thread injection) 56->95 97 2 other signatures 56->97 64 cmd.exe 1 56->64         started        signatures16 process17 dnsIp18 71 52.90.110.55, 443, 49748, 49777 AMAZON-AESUS United States 64->71 67 conhost.exe 64->67         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38/
Threat name:
Win64.Backdoor.Bazdor
Create hunting rule
Status:
Malicious
First seen:
2021-01-08 03:05:00 UTC
File Type:
PE+ (Exe)
Extracted files:
45
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2nrmqps2m4a7tltqyfqghv2d5kp6ngb5bqvzviwcvths3c5fzm4a._file
Verdict:
malicious
Similar samples:
0fb8a792dd48796bac2d508c1928aa539ced639ea99a5e2c9d6e2be5a7e82d43
BazaLoader
1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631
BazaLoader
1ea7aff75af63e55b05fd2d3015df1a3edfd1fcdad8305e1ff64611d37d97ee4
BazaLoader
26729effad95a8719e8716cb65aa5d5eb1ab255d4782f0d19471c1be963cffad
BazaLoader
2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f
BazaLoader
5c59f12280cdfd8303296be2502e5800873fe8dd7aa800bddd18da475f787244
BazaLoader
8c55e3b7ce984976b237f03414886e8a2df5884d6f1485716493c84b0abf073e
BazaLoader
8c99069bcb559bf7d9606af7ba1538cc8bacd79b4f3846f7487ec3b5179ef9d5
BazaLoader
cf6683d18904fde78028d901f9282099e3dc24a2ce6157003dced3ae387bdcfb
BazaLoader
d8576fba423360297b0661833a0e06564230c2079db214dc6830c648e5193e51
BazaLoader
+ 69 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210108-nq3nfzhbb2/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38
MD5 hash:
8a528ec7943727678bac5b9f1b74627a
SHA1 hash:
05cbef6bd0992e3532a3c597957f821140b61b94
Link:
https://www.unpac.me/results/8c76a52d-8754-4ace-80d4-e7d7ee0e97f4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:bazaloader_new_bin
Create hunting rule
Author:James_inthe_box
Description:Asshat loader
Reference:https://app.any.run/tasks/c2a9076e-3174-4ad5-b284-d562778dd644
Rule name:bazaloader_new_bin_s
Create hunting rule
Author:James_inthe_box
Description:Asshat loader
Reference:https://app.any.run/tasks/c2a9076e-3174-4ad5-b284-d562778dd644
Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/111072/

Comments