MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
SHA3-384 hash: 8452e05fa69bf81ebfe7d31a8cb69852ecd733f27fbdb32f9868338083ce8b7194509b72bf7d8fece8e24f090c044210
SHA1 hash: 032747a1658fea7f8d624c11ae965f3218f96909
MD5 hash: ea3612919bf05b66e9a608bee742a422
humanhash: black-delaware-double-stairway
File name:ea3612919bf05b66e9a608bee742a422.dll
Download: download sample
Signature BazaLoader
Create hunting rule
File size:156'672 bytes
First seen:2021-07-19 06:27:59 UTC
Last seen:2021-07-19 07:40:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
ssdeep 3072:z3t152lkhgRRfIrJ1OrEbr1OmtC2aRzQc+MrxOf3mECQgV1hzoWhHl/5hH8JUR:TkehAI9YrEP1OP2aREMrVHQEHzl/HH8e
Threatray 51 similar samples on MalwareBazaar
TLSH T196E36BAAA8450134DFFE47F48C766DDEF67462AA3B00350E523DB9F41A2277EE806512
Reporter abuse_ch
Tags:BazaLoader dll exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/172483/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.37242756.952.11101.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9888af0c-98f8-40d4-8d7d-afc371e76ac5
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/818072
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sets debug register (to hijack the execution of another thread)
Sigma detected: CobaltStrike Load by Rundll32
Sigma detected: Suspicious Svchost Process
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 450484 Sample: OV5W3mvQZ0.dll Startdate: 19/07/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 Detected Bazar Loader 2->35 37 2 other signatures 2->37 8 loaddll64.exe 1 2->8         started        10 rundll32.exe 2->10         started        process3 process4 12 cmd.exe 1 8->12         started        14 rundll32.exe 8->14         started        16 rundll32.exe 8->16         started        process5 18 rundll32.exe 14 12->18         started        dnsIp6 25 35.165.197.209, 443, 49690 AMAZON-02US United States 18->25 27 192.168.2.1 unknown unknown 18->27 39 System process connects to network (likely due to code injection or exploit) 18->39 41 Sets debug register (to hijack the execution of another thread) 18->41 43 Writes to foreign memory regions 18->43 45 3 other signatures 18->45 22 svchost.exe 13 18->22         started        signatures7 process8 dnsIp9 29 3.101.57.185, 443, 49698, 49699 AMAZON-02US United States 22->29
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7uab7ny6t6vgrrxfgfro2bku7vxrnihdqgvcqdhkhf5t25f3mlvq._file
Verdict:
suspicious
Similar samples:
2526d899c4401d93b6ddba11e67e7539a9422f929605f578549a42a162303748
BazaLoader
2596ad5fce328fb8b5211941a28d8a7b9f3723dead923b7dfcde21154356f141
BazaLoader
665d2cbbe026c961b1506f5d45205959c817c7b69af4106a40e74186cee6eb94
BazaLoader
842e396f05d590ec88da30e6180dfb29a7aec16e3ef5b49398fde8b79e4090bd
BazaLoader
86d2aa04988befc74eccca5d99550f67093969b31aafa11cdce3476a4c59ba74
BazaLoader
8c281412e64050c64d1e734d844ecc6a94e7187378365d5d9ade89e67871d20e
BazaLoader
943017c3097455cb8b4659412783705b4815c7b6d68b0809ff74a44bad8beb04
BazaLoader
a00ea79b060c85b5a90fb7410c2ff5be7199100d2a16c80f1be0bf4c65b74ba9
BazaLoader
d4f8894bcfb45d9c5185af6978aa7340bdc3373833ff88fc8f2c46364650cc4f
BazaLoader
+ 41 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarbackdoor family:bazarloader backdoor dropper loader
Link:
https://tria.ge/reports/210719-9gpfxlye2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Blocklisted process makes network request
Bazar/Team9 Backdoor payload
Bazar/Team9 Loader payload
BazarBackdoor
Bazar Loader
Unpacked files
SH256 hash:
fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb
MD5 hash:
ea3612919bf05b66e9a608bee742a422
SHA1 hash:
032747a1658fea7f8d624c11ae965f3218f96909
Link:
https://www.unpac.me/results/f927bb5d-4bde-44e5-b580-cb3132f75019/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
BazarBackdoor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fd001fb71e9faa68c6e53162ed0554fd6f16a0e381aa280cea397b3d74bb62eb

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/172483/

Comments