MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99
SHA3-384 hash: 18915341eedb3b7926569e034b29cc777c80bc9c4a40652062f1c9b63e1d35acbfd5a8d56e608633bf996677eab457b8
SHA1 hash: 07390c9968c4db0143732cc31a1bedfe5ffc9430
MD5 hash: b4f2f9b41550194585a97fec267351ae
humanhash: failed-solar-asparagus-glucose
File name:b4f2f9b41550194585a97fec267351ae.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:1'436'169 bytes
First seen:2021-09-28 06:25:16 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 126feacb5b6732ad1a4ed77f47cf4f6d (8 x BazaLoader)
ssdeep 24576:TqSPG9Jg6TYbmGBtf9efojVpVwKYs1tRCS7SPFL3EOGTWqG5QVEzAJ24GOy2ioL7:TyWbmGBtf9efojVpVwKYs1tR/7SPFL3E
Threatray 10 similar samples on MalwareBazaar
TLSH T16965D696EE6351E0F4B7E23186A67627B9713D148334C78783005B171B62FF499BE38A
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
123
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b4f2f9b41550194585a97fec267351ae.dll
Verdict:
No threats detected
Analysis date:
2021-09-28 06:32:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/d6507f00-4945-452a-b1dc-048c4ae09e13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
Bazar
Create hunting rule
Link:
https://www.capesandbox.com/analysis/192378/
Detection(s):
SecuriteInfo.com.Win64.BazarLoader.AS.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Launching a process
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/b0b5dc96-7c1c-47a4-8ce2-99318107f11d
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spre.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/859620
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Dridex Process Pattern
Sigma detected: Suspicious Svchost Process
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492051 Sample: FmtpSM8PqG.dll Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 74 Detected Bazar Loader 2->74 76 Sigma detected: CobaltStrike Load by Rundll32 2->76 78 Sigma detected: Dridex Process Pattern 2->78 80 Sigma detected: Suspicious Svchost Process 2->80 10 loaddll64.exe 1 2->10         started        12 rundll32.exe 2->12         started        14 rundll32.exe 2->14         started        16 rundll32.exe 2->16         started        process3 process4 18 cmd.exe 1 10->18         started        20 rundll32.exe 10->20         started        24 rundll32.exe 14 10->24         started        26 20 other processes 10->26 dnsIp5 28 rundll32.exe 14 18->28         started        50 new-fp-shed.wg1.b.yahoo.com 87.248.100.215, 443, 49870, 49907 YAHOO-IRDGB United Kingdom 20->50 52 www.yahoo.com 20->52 82 System process connects to network (likely due to code injection or exploit) 20->82 84 Allocates memory in foreign processes 20->84 86 Modifies the context of a thread in another process (thread injection) 20->86 32 svchost.exe 20->32         started        88 Sample uses process hollowing technique 24->88 90 Injects a PE file into a foreign processes 24->90 34 svchost.exe 24->34         started        54 192.168.2.1 unknown unknown 26->54 36 iexplore.exe 5 147 26->36         started        signatures6 process7 dnsIp8 62 161.35.19.83, 443, 49841, 49855 DIGITALOCEAN-ASNUS United States 28->62 64 www-amazon-com.customer.fastly.net 162.219.225.118, 443, 49846, 49894 ALLO-COMMUS United States 28->64 70 2 other IPs or domains 28->70 100 System process connects to network (likely due to code injection or exploit) 28->100 102 Writes to foreign memory regions 28->102 104 Allocates memory in foreign processes 28->104 106 3 other signatures 28->106 38 svchost.exe 28->38         started        66 tls13.taboola.map.fastly.net 151.101.1.44, 443, 49818, 49819 FASTLYUS United States 36->66 68 geolocation.onetrust.com 104.20.184.68, 443, 49771, 49772 CLOUDFLARENETUS United States 36->68 72 9 other IPs or domains 36->72 signatures9 process10 dnsIp11 56 www.google.com 142.250.185.196, 443, 49903, 49904 GOOGLEUS United States 38->56 58 myexternalip.com 34.117.59.81, 443, 49916 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 38->58 60 6 other IPs or domains 38->60 92 System process connects to network (likely due to code injection or exploit) 38->92 94 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 38->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 38->96 98 Performs a network lookup / discovery via net view 38->98 42 net.exe 38->42         started        44 net.exe 38->44         started        signatures12 process13 process14 46 conhost.exe 42->46         started        48 conhost.exe 44->48         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99/
Verdict:
suspicious
Similar samples:
01563f8120225436d86eb915c4ccdf97a78fda65c4b3fa613a30e3faf0f35840
BazaLoader
0ade5a6d2fbbec04e69053d50ca34587f413fd28ddd8ccec490b3d0196db135e
BazaLoader
1d08bcc9e5ed8f7bbc161f81790198f8100e9a34952ccf4227f2625c6a15f445
BazaLoader
8b971c2c4c9a020eb274c36db20bc0e1b203a7909d63f48f99bef5594110929f
BazaLoader
976328794f9114fe51c80ce0f05e4a35a94802c2fd99f3eb3c8bdeccbff5adb7
BazaLoader
9dcbcfbebaa313cfef45601dae08a0406edd349fd9ffefee1a5fe8e0b673c4d9
BazaLoader
af98c1743907c9a1429a6f01446bab875cbd273935b4ecfcd1f1b4db430a8ece
BazaLoader
b3783552bf95bc8b30a28c8d590a5081193fd6a690403dfb400c240237c8c956
BazaLoader
bc0a0ea0c006ac8b53077bd5f2459cf336a0293c19b8e8ff3c3ac0b04e7c6cba
BazaLoader
dcf67fd6bfb62bea66f5e45d871d6c15b0c61d85c5fa9e9ded03e57f83dfc814
BazaLoader
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/210928-g68ahsahdq/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99
MD5 hash:
b4f2f9b41550194585a97fec267351ae
SHA1 hash:
07390c9968c4db0143732cc31a1bedfe5ffc9430
Link:
https://www.unpac.me/results/1da714b2-cd8d-40e7-b606-b06225f04d37/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f0f17791fd8b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe f0f17791fd8bb76772cfaeb750a7bc21ca160a2c2b24be400103b1c3ee8fdc99

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1646241/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/192378/

Comments