MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d
SHA3-384 hash: 74e31970db2076d5d30a9dca0dcc6a90904c58cdef8ead2261fe338a01f03657eca3a1ce74e4cca33a2e557310bdf486
SHA1 hash: 70f2cd4867e65ed1797de856a0268bfe64320103
MD5 hash: 4cca9a1ec4b92df89a8bc992a6ba961f
humanhash: river-spring-july-seventeen
File name:terd.exe
Download: download sample
Signature BazaLoader
Create hunting rule
File size:880'640 bytes
First seen:2021-05-06 19:03:50 UTC
Last seen:2021-05-06 19:53:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b0ca5ee362d641505f62bc8a70082b68 (1 x BazaLoader)
ssdeep 12288:U3hKnzHuk5dtUgD/wH9ycG4SXOx+zJYl4/TN+ttQh:UxKnzOk5dtUgD/wH9yc6clSoC
Threatray 123 similar samples on MalwareBazaar
TLSH B3153D2965298189E4C254BC28D25BED93B737B240B921EFF3D8D5F48B16DB10E2E374
Reporter JAMESWT_WT
Tags:BazaLoader BazarLoader

Intelligence

File Origin
# of uploads :
2
# of downloads :
158
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151878/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.20056.9797.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/714629
Signature
Allocates memory in foreign processes
Contains functionality to compare user and computer (likely to detect sandboxes)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 406245 Sample: terd.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 92 28 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 Yara detected Bazar Loader 2->32 34 2 other signatures 2->34 6 terd.exe 27 2->6         started        10 terd.exe 9 2->10         started        12 terd.exe 9 2->12         started        14 terd.exe 9 2->14         started        process3 dnsIp4 24 18.237.242.195, 443, 49713, 49728 AMAZON-02US United States 6->24 36 Writes to foreign memory regions 6->36 38 Allocates memory in foreign processes 6->38 40 Modifies the context of a thread in another process (thread injection) 6->40 42 Contains functionality to compare user and computer (likely to detect sandboxes) 6->42 16 svchost.exe 6->16         started        26 34.215.31.225, 443, 49730 AMAZON-02US United States 10->26 44 Injects a PE file into a foreign processes 10->44 18 svchost.exe 10->18         started        20 svchost.exe 12->20         started        22 svchost.exe 14->22         started        signatures5 process6
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d/
Verdict:
malicious
Similar samples:
093f2b5a9d4628d9331751d7e6d3582cf097ab3f4091463ec895052dee8d22c3
BazaLoader
5b05cae0880543c3adc28a2d5a45af4931de6d2b4197d2d3c26e4471dd4cf2a8
BazaLoader
7853a7780ad43f72a514ed0ad5a1f8f53f9d3470bbdb396a243091017002d84a
BazaLoader
799016c221ca00a1888ac6db3dbbc9e81f53870e3ce154e0e4020009da1fc0a6
BazaLoader
7b86d02140dd6e4b537d1ca6a7a7ec8df70caaece6db092b13da58633f055f9d
BazaLoader
85ef348d39610c1d5f58e2524c0e929ec815a9fbe1f5924cdef7a0c05e58e5ad
BazaLoader
9663dc275239aa93ceccedae7a0d54e10def18dd177d231264a323a4175a23d4
BazaLoader
a8f0170ad5e5cdb0533ea888b0dbc97bc4bd23c9a0531e5e4b7cd1f05fa0875d
BazaLoader
c6964b25bb2cb50f34145266c6143c96c530690274270058551e67ab5676e9b6
BazaLoader
dfd5e26b62d9731d93b2ce8ec87bbf70fd63e4cd4e04d44dad3d82ca2f5e90fa
BazaLoader
+ 113 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210506-rfbqgebrpa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d
MD5 hash:
4cca9a1ec4b92df89a8bc992a6ba961f
SHA1 hash:
70f2cd4867e65ed1797de856a0268bfe64320103
Link:
https://www.unpac.me/results/8190223e-84d9-4b11-9162-c52dc4c5feb2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SUSP_XORed_URL_in_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an XORed URL in an executable
Reference:https://twitter.com/stvemillertime/status/1237035794973560834

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe f302f4e2e8111dbad2733f243a4deaf593ad03a9480bb8027e3c58d0f02fab7d

(this sample)

  
X
https://twitter.com/Mesiagh/status/1390375986215079937?s=20
Cape
Cape
https://www.capesandbox.com/analysis/151878/
  
URLhaus
https://urlhaus.abuse.ch/url/1201422/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1201453/
  
URLhaus
https://urlhaus.abuse.ch/url/1201454/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 20:06:01 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [C0032.002] Data Micro-objective::Luhn::Checksum
1) [C0047] File System Micro-objective::Delete File