bazaloader | f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8 | Triage

Submit
Reports

Overview

overview

Static

static

svchost_du...py.exe

windows7-x64

svchost_du...py.exe

windows10-1703-x64

svchost_du...py.exe

windows10-2004-x64

svchost_du...py.exe

windows11-21h2-x64

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Sharing

General

Target

svchost_dump_SCY - Copy.bin.zip
Size

2.4MB
Sample

240123-q13yaabef7
MD5

1a2f128d6c8b5873ea628daea3f14676
SHA1

1a92a3a742952b6cfa7486fc796c8d5ea133fd5f
SHA256

f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8
SHA512

c365cd4224cb652d0790ac9dab846a676e10e146e25861c25941a5adbe71ed232ff9826189c250a21424b3ac12cf2a9a92e47cb870cffd31f66774d0ecca5331
SSDEEP

49152:uZm0/SR/6qlcjHAQhFF2g+X6JWj4JBhhK9bBPYtsN/hvWl6TWDwMYXECjG:uZf/SgqlcjgCFo6JW28b1IsN5vW8GMEf

Score

10^/10

bazaloader evasion trojan

Static task

static1

trojan bazaloader

3 signatures

Behavioral task

behavioral1

Sample

svchost_dump_SCY - Copy.exe

Resource

win7-20231215-en

windows7-x64

7 signatures

150 seconds

Behavioral task

behavioral2

Sample

svchost_dump_SCY - Copy.exe

Resource

win10-20231215-en

windows10-1703-x64

10 signatures

150 seconds

Behavioral task

behavioral3

Sample

svchost_dump_SCY - Copy.exe

Resource

win10v2004-20231215-en

windows10-2004-x64

11 signatures

150 seconds

Behavioral task

behavioral4

Sample

svchost_dump_SCY - Copy.exe

Resource

win11-20231215-en

windows11-21h2-x64

10 signatures

150 seconds

Malware Config

Targets

- Target
  
  svchost_dump_SCY - Copy.bin
- Size
  
  5.2MB
- MD5
  
  5fd3d21a968f4b8a1577b5405ab1c36a
- SHA1
  
  710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
- SHA256
  
  7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
- SHA512
  
  085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
- SSDEEP
  
  98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs
Score

10^/10

evasion trojan
- Detects BazaLoader malware
  BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
  trojan
- Modifies Windows Firewall
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
behavioral1 behavioral2 behavioral3 behavioral4

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Persistence

Create or Modify System Process

Windows Service

Scheduled Task/Job

Privilege Escalation

Create or Modify System Process

Windows Service

Scheduled Task/Job

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

trojanbazaloader

behavioral1

behavioral2

behavioral3

behavioral4

© 2018-2024

Terms | Privacy