MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
SHA3-384 hash: c28b6f7f67c8b1c28d7501ac377fd8a6f13a202cc14f50271ae24ea36cf2b82ff48250cccba41c435a77ed844b239e32
SHA1 hash: ddfc14012dac8f6f9a18568dec1919a08e340244
MD5 hash: 96cb4789433cb73cc65067b1d1f90082
humanhash: table-bacon-edward-eighteen
File name:1.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:770'560 bytes
First seen:2021-10-06 04:31:54 UTC
Last seen:2021-10-06 05:43:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d73ee78273c4dc1a53ba59f2155a22b4 (1 x BazaLoader)
ssdeep 12288:MPv6K2ccb2rKOAOqHElgKRRNCL2rn65hY4J7YEP:A2cAsKxagKvNqQn65247Y
Threatray 25 similar samples on MalwareBazaar
TLSH T146F43706BBD12D9FC4158639809707727732FC195717BBAB0254703AEE6F7D21E2A2E8
Reporter Rony
Tags:BazaLoader BazarLoader exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
167
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Documents-report-009.iso
Verdict:
No threats detected
Analysis date:
2021-10-06 14:20:17 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/143378da-7f72-4e70-8f6d-83a8ca20e3cd

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.W64.Bazarldr.I.genEldorado.26144.27400.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a file in the system32 subdirectories
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
anti-debug greyware
Link:
https://www.filescan.io/uploads/615d26c5b95458900cdce2b2/reports/5203e83b-e76d-418f-a6c2-e189a2f3386e/overview
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/37dec4c1-c832-4022-ad70-0147549e9049
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/865224
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497647 Sample: 1.dll Startdate: 06/10/2021 Architecture: WINDOWS Score: 88 30 Multi AV Scanner detection for submitted file 2->30 32 Detected Bazar Loader 2->32 34 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->34 7 loaddll64.exe 1 2->7         started        9 rundll32.exe 2->9         started        process3 process4 11 rundll32.exe 13 7->11         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        19 6 other processes 7->19 dnsIp5 28 104.248.16.136, 443, 49708 DIGITALOCEAN-ASNUS United States 11->28 36 System process connects to network (likely due to code injection or exploit) 11->36 38 Contain functionality to detect virtual machines 11->38 40 Writes to foreign memory regions 11->40 42 3 other signatures 11->42 21 chrome.exe 15 11->21         started        24 rundll32.exe 15->24         started        signatures6 process7 dnsIp8 26 164.90.223.1, 443, 49793, 49795 DIGITALOCEAN-ASNUS United States 21->26
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583/
Threat name:
Win64.Trojan.Sabsik
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 04:23:36 UTC
AV detection:
9 of 45 (20.00%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a97292372b8908c984fb54e5436f3c582108c658ee39ce9e84aedd8de0084be
BazaLoader
37065b2a4cdaec2b1a260b39738746cb45895bd6d508e7aa5e4013e94abc6196
BazaLoader
5e1f7246b57c5a54c246d40ba8adcdd2fdff29b8760c7dc7ca5893b4764e6949
BazaLoader
a314401b8e12130bea249a3734022a8ebd46b8e65b18535db60944a00e84e6f6
BazaLoader
cbe165fddd39686da18fb293060b912be8cb49a47dc1eab85aa1e6aa5c9c4570
BazaLoader
dbcc44b0fc980a62f0d950b32634d5d2d03785a0e7b7659cc3f2bf220d6c3f10
BazaLoader
f25aca08079e42ada9ce9fbd59639686c7e87be6979943b8a8a555bedbe1a7cf
BazaLoader
+ 15 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader suricata
Link:
https://tria.ge/reports/211006-e5y94saghm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Loader payload
Bazar Loader
Suspicious use of NtCreateUserProcessOtherParentProcess
suricata: ET MALWARE BazaLoader Activity (GET)
Unpacked files
SH256 hash:
e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
MD5 hash:
96cb4789433cb73cc65067b1d1f90082
SHA1 hash:
ddfc14012dac8f6f9a18568dec1919a08e340244
Link:
https://www.unpac.me/results/29545b33-edfd-435d-bd41-86a5ad7f8e2c/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/e9343b4e22db/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
X
https://twitter.com/James_inthe_box/status/1445430624504868868
anyrun
any.run
https://app.any.run/tasks/8a77af99-30b1-4fc9-acc1-010f04cb6989
Cape
Cape
https://www.capesandbox.com/analysis/195175

Comments