MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
SHA3-384 hash: 5b373e67d8ea94e785cdbb8e2102f09ab72df060c4b23936c10a01bb1c4abd10d08f8c708469629d0fac4caa4b500f1c
SHA1 hash: 22cc0616f1603ec30e65dfc000835a91f1f7ffc0
MD5 hash: 51fb9bbecf3080de168d8c98a3ea0ada
humanhash: football-sixteen-spring-white
File name:motHf.dat
Download: download sample
Signature BazaLoader
Create hunting rule
File size:203'281 bytes
First seen:2021-09-07 23:32:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5bf513a50d836eccd077f47601fe8599 (1 x BazaLoader)
ssdeep 6144:4NZlrPznJDDOCNAbDuogcCeydYtsnOpSIYA1Tsi3JGVHvuHvHDHT:kZlrPznJDDOCNAbDqc6dRO8rA1gkJ8Hm
Threatray 3 similar samples on MalwareBazaar
TLSH T1CC145C7212842BD3F0C1EDFF5BC5B3A25097C5F24E79C280B6AA5BEB42390955636B13
Reporter malware_traffic
Tags:BazaLoader BazarLoader dll


Avatar
malware_traffic
Run method: rundll32.exe [filename],StartW

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
motHf.dat
Verdict:
No threats detected
Analysis date:
2021-09-07 22:47:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9592bd14-2946-4516-adca-c1f24243263e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/186135/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Transferring files using the Background Intelligent Transfer Service (BITS)
Connection attempt
Launching a process
Sending a UDP request
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/a92e9141-1c14-415d-a40b-6ec401a18fe3
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/846969
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Regsvr32 Command Line Without DLL
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 479400 Sample: motHf.dat Startdate: 08/09/2021 Architecture: WINDOWS Score: 92 43 Detected Bazar Loader 2->43 45 Sigma detected: CobaltStrike Load by Rundll32 2->45 47 Sigma detected: Suspicious Svchost Process 2->47 49 Sigma detected: Regsvr32 Command Line Without DLL 2->49 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 regsvr32.exe 14 7->11         started        15 iexplore.exe 1 73 7->15         started        17 cmd.exe 1 7->17         started        19 7 other processes 7->19 dnsIp5 41 194.15.113.160, 443, 49777, 49794 INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB Ukraine 11->41 55 System process connects to network (likely due to code injection or exploit) 11->55 57 Writes to foreign memory regions 11->57 59 Allocates memory in foreign processes 11->59 61 3 other signatures 11->61 21 svchost.exe 11->21         started        25 iexplore.exe 2 145 15->25         started        27 rundll32.exe 17->27         started        signatures6 process7 dnsIp8 29 whitestorm9p.bazar 21->29 31 tonuidem.bazar 21->31 37 17 other IPs or domains 21->37 51 System process connects to network (likely due to code injection or exploit) 21->51 53 Detected Bazar Loader 21->53 33 edge.gycpi.b.yahoodns.net 87.248.118.22, 443, 49757, 49758 YAHOO-DEBDE United Kingdom 25->33 35 dart.l.doubleclick.net 142.250.102.148, 443, 49744, 49745 GOOGLEUS United States 25->35 39 14 other IPs or domains 25->39 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814/
Threat name:
Win64.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2021-09-07 23:33:07 UTC
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3t3h7vv7wyv6uzxv4royohlmcwymmhmfyx5j5hpnapsx7a67zaka._file
Verdict:
unknown
Similar samples:
020cdb33c05b46de2b27327759b0c02a8c0f3790f7c483bb9e4965cabe8a09c6
BazaLoader
f796ca1010553654951b4ae4ca8ea20d473a6c272e635dc0904f0d3761f250d5
BazaLoader
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210907-3jvlssgfbj/
Unpacked files
SH256 hash:
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
MD5 hash:
51fb9bbecf3080de168d8c98a3ea0ada
SHA1 hash:
22cc0616f1603ec30e65dfc000835a91f1f7ffc0
Link:
https://www.unpac.me/results/7d611ca6-1efc-4b50-b6e9-123d75bb535e/
Malware family:
BazarLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/dcf67fd6bfb6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/186135/

Comments