MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
SHA3-384 hash: 8fda163c614c00753658f0b10dc5d8ccf080a1e2a7282c59b07633efbe01ffbb98d8da9b5277e025731e99277cd58f05
SHA1 hash: a134fcd514bb5cfbe9e98b9cfe28f3e02b9a28cf
MD5 hash: f20af1991721941a6712a07cfb2a81be
humanhash: mike-speaker-river-football
File name:1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:548'864 bytes
First seen:2021-10-14 07:39:22 UTC
Last seen:2021-10-14 08:51:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bb371708c55cf92a872421fa64c41b03 (3 x BazaLoader, 1 x IcedID)
ssdeep 12288:FRFZrKEx0B559K5mYneuZ3ot3Ufc1zg6o1HZmfFd:FHZFK3K5mYneuZ3Mv1zg6o1HEtd
Threatray 36 similar samples on MalwareBazaar
TLSH T1E4C49E55FFA408A5E076C13C89778545E2727C9A1B60CADF2365432E1F77BE08A3EB21
Reporter ankit_anubhav
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
203
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1.dll
Verdict:
No threats detected
Analysis date:
2021-10-14 07:42:00 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/13ec2d38-7f90-45fd-bec3-7a0125e0fea4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/197440/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37778003.24978.15479.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
67%
Tags:
greyware packed
Link:
https://www.filescan.io/uploads/6167dedafd35fe780c3f6854/reports/036997e6-f746-4ab2-bf51-fb5929dfa163/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/c70561e6-1645-4c03-8399-6c417c23749d
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/870255
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 502683 Sample: 1.dll Startdate: 14/10/2021 Architecture: WINDOWS Score: 84 29 Multi AV Scanner detection for submitted file 2->29 31 Detected Bazar Loader 2->31 33 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->33 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 14 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 6 other processes 7->19 dnsIp5 25 164.90.229.166, 443, 49752 DIGITALOCEAN-ASNUS United States 11->25 27 164.90.229.209, 443, 49751 DIGITALOCEAN-ASNUS United States 11->27 35 System process connects to network (likely due to code injection or exploit) 11->35 37 Writes to foreign memory regions 11->37 39 Allocates memory in foreign processes 11->39 41 2 other signatures 11->41 21 chrome.exe 1 11->21         started        23 rundll32.exe 15->23         started        signatures6 process7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d/
Threat name:
Win64.Backdoor.CobaltStrike
Create hunting rule
Status:
Malicious
First seen:
2021-10-12 10:34:07 UTC
AV detection:
10 of 27 (37.04%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1
BazaLoader
1298c6133f76de5491828ab2eac13325c21249a1329c971f6b60e7ed85827280
BazaLoader
37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
BazaLoader
5e1f7246b57c5a54c246d40ba8adcdd2fdff29b8760c7dc7ca5893b4764e6949
BazaLoader
a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
BazaLoader
bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
BazaLoader
dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10
BazaLoader
e31898f207733cf33a6f951d8337d6cd303334a9df95956686657e3f13436ae8
BazaLoader
e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
BazaLoader
+ 26 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211014-jhk67agfa8/
Behaviour
Blocklisted process makes network request
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
MD5 hash:
f20af1991721941a6712a07cfb2a81be
SHA1 hash:
a134fcd514bb5cfbe9e98b9cfe28f3e02b9a28cf
Link:
https://www.unpac.me/results/970eaef7-ac1b-4550-bc82-09c42a8c5692/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e36d38914360/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/197440/

Comments