MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd2f1c48403857b80a466cb30f43a3b49e02cd480ee9cf05f6038d4816e2563b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazaLoader


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd2f1c48403857b80a466cb30f43a3b49e02cd480ee9cf05f6038d4816e2563b
SHA3-384 hash: cf8a5f8e7ca5e6f9a11ff89c655164a3cd15d54d39d03038aaf5ea228aa0b467dc08e01476934bf064192a8cc85989ff
SHA1 hash: 870e42c0b598c056d846e6d012da536cbdd37680
MD5 hash: 89c7feab515bbfec864010c118692b4c
humanhash: bakerloo-six-don-oven
File name:sgRkrN.dat
Download: download sample
Signature BazaLoader
Create hunting rule
File size:337'417 bytes
First seen:2021-10-22 06:30:38 UTC
Last seen:2021-10-22 08:19:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 8fc81352ac718681e376edb5b78a04b3 (5 x BazaLoader)
ssdeep 6144:E9UhcITop4D8ZLhy/9OB6bkRY1Y4DbA0TKO2p/kiT3KQ0pJCpe:E9VcFOobk6YooOc3K3Cpe
Threatray 51 similar samples on MalwareBazaar
TLSH T105745BBE848506A8DFEF0BFC4C752EEDB5AC62833A10641CA53A75D21F2377DE44452A
Reporter StopMalvertisin
Tags:64bit BazaLoader dll exe sliver

Intelligence

File Origin
# of uploads :
2
# of downloads :
171
Origin country :
n/a
Vendor Threat Intelligence
Detection:
BazarV5
Create hunting rule
Link:
https://www.capesandbox.com/analysis/199262/
Detection(s):
SecuriteInfo.com.Artemis89C7FEAB515B.2760.2337.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Link:
https://www.filescan.io/uploads/61725aa8db358dd15ed28d5a/reports/c133abb0-1eef-4056-a8e8-537805223aa4/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/9221b77b-03cd-4b7a-bb85-ede835e6cc68
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/875205
Signature
Allocates memory in foreign processes
Detected Bazar Loader
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 507636 Sample: sgRkrN.dat Startdate: 22/10/2021 Architecture: WINDOWS Score: 80 44 Multi AV Scanner detection for submitted file 2->44 46 Detected Bazar Loader 2->46 48 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->48 9 loaddll64.exe 1 2->9         started        process3 process4 11 regsvr32.exe 18 9->11         started        15 cmd.exe 1 9->15         started        17 iexplore.exe 1 73 9->17         started        19 rundll32.exe 9->19         started        dnsIp5 38 oftheearth.ca 198.50.182.64, 443, 49862, 49863 OVHFR Canada 11->38 40 194.15.112.173, 443, 49978 INTERNATIONAL-HOSTING-SOLUTIONS-ASEUDCrouteGB Ukraine 11->40 42 9 other IPs or domains 11->42 50 System process connects to network (likely due to code injection or exploit) 11->50 52 Detected Bazar Loader 11->52 54 Writes to foreign memory regions 11->54 56 2 other signatures 11->56 21 chrome.exe 11->21         started        23 rundll32.exe 15->23         started        25 iexplore.exe 2 159 17->25         started        signatures6 process7 dnsIp8 28 MpCmdRun.exe 1 23->28         started        32 edge.gycpi.b.yahoodns.net 87.248.118.23, 443, 49840, 49841 YAHOO-DEBDE United Kingdom 25->32 34 dart.l.doubleclick.net 172.217.168.38, 443, 49829, 49830 GOOGLEUS United States 25->34 36 14 other IPs or domains 25->36 process9 process10 30 conhost.exe 28->30         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd2f1c48403857b80a466cb30f43a3b49e02cd480ee9cf05f6038d4816e2563b/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-10-22 06:31:04 UTC
AV detection:
10 of 45 (22.22%)
Threat level:
  5/5
Verdict:
malicious
Similar samples:
1a97292372b8908c984fb54e5436f3c582108c658ee39ce9e84aedd8de0084be
BazaLoader
1f136522cc2cdea93e2086aa67ab07102bcef7e31b201489b43707986824b3f8
BazaLoader
417c1828d98ba4f05f7a2edb71a9105f0aebf3d554393970b96e59d4db7b4473
BazaLoader
4a3dc99f99af4f2d8bd707a4163886df47cbdf6934856c416785010334412043
BazaLoader
7fbde30e24755e328101e5705cfd1673dc8653ec17fe23fbbccb21b2accc66bd
BazaLoader
aa2cb7c438568cb9baf184532b6bda4677cd3bb9f22f8d3e65e22588eeace26f
BazaLoader
c5d2f0da18fb33a25b53fd8b9b98f0bfa95458e3c0feb687852f469167a0110c
BazaLoader
f29dbde41d19fa55ca3cd077df6833441aca6df5f1cfccbca9ed9554214263da
BazaLoader
fb46649e51c1b2fc47d3bc0a129563c7bcb6f7e5353d46e0a0bd2f1205d675b9
BazaLoader
+ 41 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader
Link:
https://tria.ge/reports/211022-g92xxabbg5/
Behaviour
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
fd2f1c48403857b80a466cb30f43a3b49e02cd480ee9cf05f6038d4816e2563b
MD5 hash:
89c7feab515bbfec864010c118692b4c
SHA1 hash:
870e42c0b598c056d846e6d012da536cbdd37680
Link:
https://www.unpac.me/results/5ed1176b-ed67-4a69-82c0-6c66dfdd7748/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.34
Link:
https://yomi.yoroi.company/submissions/fd2f1c48403857b80a466cb30f43a3b49e02cd480ee9cf05f6038d4816e2563b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/199262/

Comments


Avatar
Kimberly commented on 2021-10-22 07:02:17 UTC

Not Sliver but Bazarloader :/
Wrong tag