MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazaLoader

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de
SHA3-384 hash:	8a56d7434fc90a986f38f7db0b56dab0bc160adaa4dc8c7a71473b850a90ded27a6efd649542d9e616ba34d9669a04e2
SHA1 hash:	0b87f6aac3b24dad66564f321081036f84db0c65
MD5 hash:	5454aed5b071eae739aca427a124b8e8
humanhash:	uncle-stream-whiskey-social
File name:	Report-Review20-10.exe
Download:	download sample
Signature	BazaLoader Create hunting rule
File size:	15'906'456 bytes
First seen:	2020-10-20 18:13:33 UTC
Last seen:	2020-10-20 18:59:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	d3a2afb703bdefc4273681ac10f9f607 (9 x BazaLoader)
ssdeep	393216:Ekkqt/8vHxlVvNJbYmb126bbQlv7gSREXQL+e5sOP:h0RlXJ0mb3Q2X+
Threatray	203 similar samples on MalwareBazaar
TLSH	15F6BE4277D68909E0A61730DDB382B81677BD519D35870F328CBA1EAFF36815C66B23
Reporter	BFcerdo
Tags:	BazaLoader NOSOV SP Z O O signed

Intelligence

File Origin

# of uploads :

2

# of downloads :

94

Origin country :

n/a

Vendor Threat Intelligence

Detection:

BazaLoader

Link:

https://www.capesandbox.com/analysis/73607/

Detection(s):

SecuriteInfo.com.BackDoor.Bazar.19.1425.10876.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Transferring files using the Background Intelligent Transfer Service (BITS)

DNS request

Launching cmd.exe command interpreter

Sending a TCP request to an infection source

Unauthorized injection to a system process

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

72 / 100

Link:

https://www.joesandbox.com/analysis/498615

Signature

Allocates memory in foreign processes

Hijacks the control flow in another process

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Sample uses process hollowing technique

Writes to foreign memory regions

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de/

Threat name:

Win64.Trojan.Bazaloader

Status:

Malicious

First seen:

2020-10-20 18:15:06 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

5/5

Verdict:

malicious

Similar samples:

0d468fc1b02bbc7c3050c67e0a80b580c69abd8eea5f8dad06c7d7ff396f7789

1b7a277e3aa02c66b4a1da64cc2be281102decb97ff841d62c02e9fc1ade361f

3b04e7f31c8ec3bd466ce5910277f241a6b3e7bf9d70a5fd41d7922601cc06ba

665fdcff6c010772cfa701050b2bc5c7b008a0e8a73fa3c59e1dde546b78003b

690ff4ee36a9ee03248ce8e45a605e718eb48778ffbce1b48f9a5522175ba611

c1a8d92dd4d6a2e51be9be6957c6d0398bef80a667c879c365c622033ea7a8a5

c81fe7326d72e662a185c7bccb19bd31481ffdf53ef0fb1019027d9d16e5a9d9

d3f27f0ba1900e461e292bf8f62028b60cac902ef71cbe455115d008c0ed27c6

f471cbd53a52d27053c33c4fd18fe2305f94f947d8cc2275c3506fe74c2f11f5

f8d69d5df025089474bfef71b5fb42c0e11bfcbb1d2dd915c474b11b74c0504b

+ 193 additional samples on MalwareBazaar

Result

Malware family:

bazarbackdoor

Score:

10/10

Tags:

backdoor family:bazarbackdoor

Link:

https://tria.ge/reports/201020-e3rmtvhkd2/

Behaviour

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blacklisted process makes network request

BazarBackdoor

Unpacked files

SH256 hash:

f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de

MD5 hash:

5454aed5b071eae739aca427a124b8e8

SHA1 hash:

0b87f6aac3b24dad66564f321081036f84db0c65

Link:

https://www.unpac.me/results/cf8d986f-b4c2-4d84-a246-f0dfcc3ecf0e/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Bazar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f3f7756ced61f3872f07dd25b68f1824d8797730757a9a80bdbbe6522725a2de

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

Cape

https://www.capesandbox.com/analysis/73607/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample