MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 6

Intelligence 6 IOCs YARA 5 File information Comments

SHA256 hash:	dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10
SHA3-384 hash:	ec5e7ae271208ef64a324e812ac42cf469961869db16d5247668b2e2373bbbf72a089c23d80731bf7199d0bb56666da3
SHA1 hash:	983f34b013186bdb199692022f5f1b84db37765e
MD5 hash:	6ccf11aecc3b829698cdf1972f5d8732
humanhash:	violet-three-johnny-twelve
File name:	6ccf11aecc3b829698cdf1972f5d8732.dll
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	1'250'822 bytes
First seen:	2021-07-31 06:40:30 UTC
Last seen:	2021-07-31 07:50:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2869cb885758b15d003acb119f131468 (6 x BazaLoader, 3 x CobaltStrike, 1 x IcedID)
ssdeep	12288:6yWeahQ/LWnzkXz5HYrniajhuSlHJzJBlPXXo/6aNdCaBSPZC1XZV72BZ:HWeaZzqY7dhBjz/lfo/FIyXv72BZ
Threatray	30 similar samples on MalwareBazaar
TLSH	T153455B127CE184FED63AE0344892C3917632BC6563313BD73E5565BA2A75BD23A3E324
Reporter	abuse_ch
Tags:	BazaLoader dll exe

Intelligence

File Origin

# of uploads :

# of downloads :

589

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

6ccf11aecc3b829698cdf1972f5d8732.dll

Verdict:

No threats detected

Analysis date:

2021-07-31 06:42:19 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/4b9f73e4-6df0-405d-a56c-fe4886365861

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/175412/

Detection(s):

SecuriteInfo.com.Variant.Bulz.581294.13973.3737.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Unknown

Link:

https://analyze.intezer.com/analyses/92a63bbe-c1b5-4f58-8cfd-bb59664af5ef

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/824827

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Sigma detected: CobaltStrike Load by Rundll32

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10/

Threat name:

Win64.Backdoor.Bazdor

Status:

Malicious

First seen:

2021-07-29 21:13:00 UTC

AV detection:

2 of 28 (7.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=3pgejmh4tafgf4gzkczsmngv2lidpbna463wlhgd6k7sedlmh4ia._file

Verdict:

malicious

BazaLoader

37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196

BazaLoader

89e803fb3d77bd7c8ce32b32eaa6832dd37dba1fe675ac46cce0cb297646dc0d

BazaLoader

8fccef8c77091c260d0926d4ebe9ee80d79be2262360679a4d59c2a6efeca7ab

BazaLoader

a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6

BazaLoader

b057eb94e711995fd5fd6c57aa38a243575521b11b98734359658a7a9829b417

BazaLoader

cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570

BazaLoader

f2caffa263687a0901d68e143af25169d67bac91489d6b62faa2727ed5bb49fe

BazaLoader

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

10/10

Tags:

suricata

Link:

https://tria.ge/reports/210731-773a5vj78a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE BazaLoader Activity (GET)

suricata: ET MALWARE Observed Malicious SSL Cert (BazaLoader CnC)

suricata: ET MALWARE Observed Malicious SSL Cert (Bazar Backdoor)

Unpacked files

SH256 hash:

dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10

MD5 hash:

6ccf11aecc3b829698cdf1972f5d8732

SHA1 hash:

983f34b013186bdb199692022f5f1b84db37765e

Link:

https://www.unpac.me/results/4a5bc32a-9bab-4e1d-b269-558b603ec801/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.30

Link:

https://yomi.yoroi.company/submissions/dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	GoBinTest Create hunting rule

Rule name:	GoBinTest Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	golang Create hunting rule

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/175412/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample