MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da
SHA3-384 hash: d84d14c619f0e5f36c2aafaac0d4d83f8a0fa578d2b0c5fb29b49deb6f0ff80fafe735fe3326d68e1d641fd54df21281
SHA1 hash: c79de0a2ecb71ef8eb029d321da8347313a7b37f
MD5 hash: 787d4d0708ef2412f504067f92102d80
humanhash: nitrogen-monkey-apart-hotel
File name:0x00020000000155fc-286.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:349'322 bytes
First seen:2021-10-21 14:32:13 UTC
Last seen:2021-10-21 14:39:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8fc81352ac718681e376edb5b78a04b3 (5 x BazaLoader)
ssdeep 6144:u55lc2c9mVV7pM3RRVru0hoy4Ip9b/mOawHSjQJ:u555c9A2DVru0hoy3p9SVjM
Threatray 56 similar samples on MalwareBazaar
TLSH T1EF746CA1A5D13990E9C2D87E861BB372EA4B54332FA1E0C271A70BD3452F4D5DF52E23
Reporter pr0xylife
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/199117/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.9690.6713.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Connection attempt
Sending a custom TCP request
DNS request
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
overlay
Link:
https://www.filescan.io/uploads/61717a1fdb358dd15ece7ecf/reports/008a4e2c-8037-4887-a519-a8ba73ec4cb4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Suspicious
Link:
https://analyze.intezer.com/analyses/63171a19-5cd0-450c-86b7-d789d9f1f413
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
76 / 100
Link:
https://www.joesandbox.com/analysis/874665
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507096 Sample: 0x00020000000155fc-286.dll Startdate: 21/10/2021 Architecture: WINDOWS Score: 76 34 Detected Bazar Loader 2->34 36 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->36 7 loaddll64.exe 1 2->7         started        process3 process4 9 regsvr32.exe 13 7->9         started        13 iexplore.exe 1 73 7->13         started        15 cmd.exe 1 7->15         started        17 rundll32.exe 7->17         started        dnsIp5 32 46.101.144.128, 443, 49782 DIGITALOCEAN-ASNUS Netherlands 9->32 38 System process connects to network (likely due to code injection or exploit) 9->38 40 Writes to foreign memory regions 9->40 42 Allocates memory in foreign processes 9->42 44 2 other signatures 9->44 19 chrome.exe 1 9->19         started        21 iexplore.exe 2 148 13->21         started        24 rundll32.exe 15->24         started        signatures6 process7 dnsIp8 26 dart.l.doubleclick.net 172.217.168.38, 443, 49835, 49836 GOOGLEUS United States 21->26 28 geolocation.onetrust.com 104.20.185.68, 443, 49800, 49801 CLOUDFLARENETUS United States 21->28 30 10 other IPs or domains 21->30
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da/
Threat name:
Win64.Trojan.AgentAGen
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 14:33:05 UTC
AV detection:
12 of 28 (42.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ko33za5dh5flsr42b3562btiqnmu3pv6hh4zpfj5wkviikcmpna._file
Verdict:
malicious
Similar samples:
081409dbf0464baad30442d3f8cea67c885e15e438b0f6dbf9c64da67620eaa1
BazaLoader
1298c6133f76de5491828ab2eac13325c21249a1329c971f6b60e7ed85827280
BazaLoader
4374f12287c158cc6e9421640b459455307e471711cc41f5666a1cbc553a3eb3
BazaLoader
7fbde30e24755e328101e5705cfd1673dc8653ec17fe23fbbccb21b2accc66bd
BazaLoader
bf58ef24dd79c02522163be7d8e523cecb2be8daf30e98fd6673d583cbc9e74b
BazaLoader
e31898f207733cf33a6f951d8337d6cd303334a9df95956686657e3f13436ae8
BazaLoader
e36d3891436038b678aae50859a8bca3c50989deea07b8776c3927e76ad57c1d
BazaLoader
e9343b4e22db0f869c9af10a6e3ae35a1d84f9da8546d4973990f4828a3fd583
BazaLoader
+ 46 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211021-rwvlsaadh4/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da
MD5 hash:
787d4d0708ef2412f504067f92102d80
SHA1 hash:
c79de0a2ecb71ef8eb029d321da8347313a7b37f
Link:
https://www.unpac.me/results/f3add16a-8779-4e36-bd24-c24703911566/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/f29dbde41d19/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199117/

Comments