MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d41c191058675d5e5280c63aaa04e8eee80401d6887205c47f26723e1de9decb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	d41c191058675d5e5280c63aaa04e8eee80401d6887205c47f26723e1de9decb
SHA3-384 hash:	79d8f9d632ae07d333fe46c2a791edcace5f1d19354579ab4340311dc25743c61a20d4290928b97ad96d71f421a1c1de
SHA1 hash:	579dccf341148d7fd7285c777e3b35d4f5dd8f0d
MD5 hash:	f67b4f600c31ed5cc60ac7afda14233a
humanhash:	yellow-massachusetts-ack-white
File name:	Document-26-10.exe
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	512'336 bytes
First seen:	2020-10-26 18:07:13 UTC
Last seen:	2020-10-26 20:01:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	0e67c819b495cc0ceb1691acd53675c2 (1 x BazaLoader)
ssdeep	6144:xrbRTwYHpBmqZUeDgH4nBHIiVH4Pdznqq8+qjGzA6w0ukYhVB3YcR:xrbmYJBmHYnh/2nqqGjGzbwLkOVB3z
Threatray	136 similar samples on MalwareBazaar
TLSH	8BB4A5C3F054349CF8DF827BB9DA4E25B1E27C560A432A0212753FA5BF321915BC9A6D
Reporter	ffforward
Tags:	BazaLoader Best Fud OOO exe signed

Code Signing Certificate

Organisation:	Best Fud
Issuer:	DigiCert EV Code Signing CA
Algorithm:	sha256WithRSAEncryption
Valid from:	Aug 21 00:00:00 2020 GMT
Valid to:	Jun 2 12:00:00 2021 GMT
Serial number:	085B70224253486624FC36FA658A1E32
Intelligence:	9 malware samples on MalwareBazaar are signed with this code signing certificate
MalwareBazaar Blocklist:	This certificate is on the MalwareBazaar code signing certificate blocklist (CSCB)
Thumbprint Algorithm:	SHA256
Thumbprint:	693CC59045DE342FBE55E06CBACD006BFBED33BEAE4000E3013CE910B967D6DB
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

110

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79476/

Detection(s):

SecuriteInfo.com.generic.ml.4376.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Launching cmd.exe command interpreter

Creating a process with a hidden window

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj

Score:

56 / 100

Link:

https://www.joesandbox.com/analysis/512636

Signature

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Tries to resolve many domain names, but no domain seems valid

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d41c191058675d5e5280c63aaa04e8eee80401d6887205c47f26723e1de9decb/

Threat name:

Win64.Trojan.Bazaloader

Status:

Malicious

First seen:

2020-10-26 18:11:39 UTC

File Type:

PE+ (Exe)

Extracted files:

AV detection:

35 of 48 (72.92%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2qobsecym5ov4uuayy5kubhi53uaiaowrbzalrd7ezzd4hpj33fq._file

Verdict:

malicious

BazaLoader

1642ec3f8d77278e1fca7e99fb3da2ada567b0186af8c1e5dcce9b2151626434

BazaLoader

1ea7aff75af63e55b05fd2d3015df1a3edfd1fcdad8305e1ff64611d37d97ee4

BazaLoader

2a7964c5d7268f4b320e91ad133654d75edca3c15f9e5c76dee7bf68634b933f

BazaLoader

40e57eae3bb200542384e2da14a92ca88d1b806f9f9e8e577468da2594ad1c84

BazaLoader

563463b7b68cb19bba718bd6d1e8e3573b7c08fbbce9d86219ea242790ee41b9

BazaLoader

5e9ba87c848255e2291680e16843305d2b797b375a3729d9f920c1b1b9781005

BazaLoader

8d84a168fde968b3beb835a96fc340d2b4c1307e97ab677002197ed664f9838e

BazaLoader

d39c5c69570369aba1312477175e799f5a921779b2eb52a85957e5ae47304165

BazaLoader

e3f87e59fd8941eb351fda58d6dc02de81968955491239b8e1ca1ad8e05db0ad

BazaLoader

+ 126 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor

Link:

https://tria.ge/reports/201026-lnjr8cp3kj/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blacklisted process makes network request

BazarBackdoor

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Cobalt_functions Create hunting rule
Author:	@j0sm1
Description:	Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT

Rule name:	INDICATOR_EXE_Packed_LLVMLoader Create hunting rule
Author:	ditekSHen
Description:	Detects LLVM obfuscator/loader

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/79476/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample