MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 10


Intelligence 10 IOCs YARA 1 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
SHA3-384 hash: b6a578f75130461f19f1006648b433659cfc568fb3d4b3be4c23d12312d0a4486bd8dbe2d40d45be55a2dfb0d8e68d13
SHA1 hash: 48f4f5376d0a571784fa03f89015c6a72f74998d
MD5 hash: c108ebdd14a2cf40e64411792987796a
humanhash: delaware-burger-lemon-idaho
File name:c108ebdd14a2cf40e64411792987796a
Download: download sample
Signature BazaLoader
Create hunting rule
File size:4'879'360 bytes
First seen:2022-05-05 06:44:11 UTC
Last seen:2022-05-05 07:43:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 98304:mQi4NSWhwXCzdRTm4OVgThNEUdhgjcAwLgq+a6T8g/Ztr4JIs/:Hi4U+rTmoNEUfWcAZ5TPZtr4WK
Threatray 2'565 similar samples on MalwareBazaar
TLSH T1543633DEB384B1CFCD7B91738A996C78D680A96BA72FD313805317ED4D5C0B6CA09192
TrID 48.7% (.EXE) Win64 Executable (generic) (10523/12/4)
23.3% (.EXE) Win16 NE executable (generic) (5038/12/1)
9.3% (.EXE) OS/2 Executable (generic) (2029/13)
9.2% (.EXE) Generic Win/DOS Executable (2002/3)
9.2% (.EXE) DOS Executable Generic (2000/1)
Reporter zbetcheckin
Tags:BazaLoader exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
redline
Create hunting rule
ID:
1
File name:
HackLoader.zip
Verdict:
Malicious activity
Analysis date:
2022-05-01 07:40:14 UTC
Tags:
trojan rat redline loader evasion
Link:
https://app.any.run/tasks/b1646a62-5b17-4184-9a6d-dd7826588aea

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/268804/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.25678.14412.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Running batch commands
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the Windows subdirectories
Sending an HTTP GET request
Creating a file in the system32 subdirectories
Forced system process termination
Creating a file in the %AppData% subdirectories
Searching for synchronization primitives
Reading critical registry keys
Creating a process from a recently created file
Setting browser functions hooks
Possible injection to a system process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Using obfuscated Powershell scripts
Unauthorized injection to a browser process
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/627372512b32b1c37c973583/reports/f8314cbf-575d-42d8-a9e4-266c224572e2/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Xmrig
Create hunting rule
Detection:
malicious
Classification:
troj.evad.mine
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/988292
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates a thread in another existing process (thread injection)
Creates files in the system32 config directory
Encrypted powershell cmdline option found
Found stalling execution ending in API Sleep call
Found strings related to Crypto-Mining
Found suspicious powershell code related to unpacking or dynamic code loading
Hooks files or directories query functions (used to hide files and directories)
Hooks processes query functions (used to hide processes)
Hooks registry keys query functions (used to hide registry keys)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Uses nslookup.exe to query domains
Uses schtasks.exe or at.exe to add and modify task schedules
Very long command line found
Writes to foreign memory regions
Yara detected Xmrig cryptocurrency miner
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 620789 Sample: 6CsNh4FRGH Startdate: 05/05/2022 Architecture: WINDOWS Score: 100 74 Malicious sample detected (through community Yara rule) 2->74 76 Antivirus detection for dropped file 2->76 78 Antivirus / Scanner detection for submitted sample 2->78 80 13 other signatures 2->80 9 6CsNh4FRGH.exe 6 2->9         started        13 powershell.exe 2->13         started        15 chrome.exe 2->15         started        17 powershell.exe 21 2->17         started        process3 file4 68 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32+ 9->68 dropped 70 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 9->70 dropped 72 C:\Users\user\AppData\...\6CsNh4FRGH.exe.log, ASCII 9->72 dropped 96 Uses nslookup.exe to query domains 9->96 98 Writes to foreign memory regions 9->98 100 Allocates memory in foreign processes 9->100 102 Injects a PE file into a foreign processes 9->102 19 cmd.exe 9->19         started        21 cmd.exe 1 9->21         started        24 cmd.exe 9->24         started        26 nslookup.exe 2 2 9->26         started        104 Creates files in the system32 config directory 13->104 106 Modifies the context of a thread in another process (thread injection) 13->106 108 Found suspicious powershell code related to unpacking or dynamic code loading 13->108 28 dllhost.exe 13->28         started        30 conhost.exe 13->30         started        110 Antivirus detection for dropped file 15->110 112 Multi AV Scanner detection for dropped file 15->112 114 Machine Learning detection for dropped file 15->114 32 cmd.exe 15->32         started        34 conhost.exe 17->34         started        signatures5 process6 signatures7 36 chrome.exe 19->36         started        39 conhost.exe 19->39         started        82 Encrypted powershell cmdline option found 21->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 21->84 41 powershell.exe 19 21->41         started        43 powershell.exe 22 21->43         started        45 conhost.exe 21->45         started        52 2 other processes 24->52 86 Found stalling execution ending in API Sleep call 28->86 88 Writes to foreign memory regions 28->88 90 Creates a thread in another existing process (thread injection) 28->90 92 Injects a PE file into a foreign processes 28->92 54 5 other processes 28->54 47 powershell.exe 32->47         started        50 conhost.exe 32->50         started        process8 file9 66 C:\Users\user\AppData\...\sihost64.exe, PE32+ 36->66 dropped 56 cmd.exe 36->56         started        118 Found suspicious powershell code related to unpacking or dynamic code loading 47->118 signatures10 process11 signatures12 94 Encrypted powershell cmdline option found 56->94 59 powershell.exe 56->59         started        62 powershell.exe 56->62         started        64 conhost.exe 56->64         started        process13 signatures14 116 Found suspicious powershell code related to unpacking or dynamic code loading 59->116
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6/
Threat name:
Win64.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2022-04-22 15:44:59 UTC
File Type:
PE+ (.Net Exe)
Extracted files:
1
AV detection:
25 of 42 (59.52%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
3a40d13ba6b30c31d8d5380b61806ec76355f4c10a3c242eff71ddc020907be7
BazaLoader
4533be3c5e3a43774233b4c8216cf5723f2968adc86f33a20bc487566bc69375
BazaLoader
596b8d2ea9be082c0eea726b7217597fe293eef85069a8dd03a6024b48c7a199
BazaLoader
8d2d9d8d937c880d75eb1e4a930f273a0b215ba1b15c07c10a7d902f23b0b08a
BazaLoader
90daff6ddaed3c5624b21e62f402c98e46d1fac4839ea42cc85ed7cfb50e95a0
BazaLoader
af5c1edc2e290ba4ecafee0f7f5b02182e5df7672ce8004ba3bafd320f2592f3
BazaLoader
b3af5a1af48b27b5ac7647d5bf81941c9abf6be899372119cb5eb887026e1409
BazaLoader
cc607d75c355df2d67744ef55562438e4e117f03546999c96bc1b455b9bef7aa
BazaLoader
d1d622e31d20a69fc6fea0d98996607f37f6204bb02625bfb329cfdbb8edb6e6
BazaLoader
e6fca45846eca1bcaedded82438aa64968717c4f0dab149c32c5db6d08210f39
BazaLoader
+ 2'555 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
n/a
Link:
https://tria.ge/reports/220505-hh2y9sabcm/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Drops file in System32 directory
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
Suspicious use of NtCreateUserProcessOtherParentProcess
Unpacked files
SH256 hash:
f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6
MD5 hash:
c108ebdd14a2cf40e64411792987796a
SHA1 hash:
48f4f5376d0a571784fa03f89015c6a72f74998d
Link:
https://www.unpac.me/results/03b9710a-0d4e-4198-99c1-1fb0f0383533/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.51
Link:
https://yomi.yoroi.company/submissions/f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_EXE_Packed_ConfuserEx
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazaLoader

Executable exe f9bff1ac8e6c15dde928e87a8bf733006ca805d42302387b2c24e11e555b7ee6

(this sample)

  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/268804/
  
URLhaus
https://urlhaus.abuse.ch/url/2179215/

Comments


Avatar
zbet commented on 2022-05-05 06:44:16 UTC

url : hxxp://45.9.20.31/rigx.exe