bazaloader | svchost_dump_SCY - Copy[.]bin[.]zip

Resubmissions

23-01-2024 14:03

240123-rcwpqsbff3 10

23-01-2024 13:44

240123-q13yaabef7 10

Sharing

Copy URL

Twitter E-mail

General

Target

svchost_dump_SCY - Copy.bin.zip
Size

2.4MB
MD5

1a2f128d6c8b5873ea628daea3f14676
SHA1

1a92a3a742952b6cfa7486fc796c8d5ea133fd5f
SHA256

f04d11a1c4811492e397bc151c65ea1958eab6cbcf279ece7bd59160bfbea3d8
SHA512

c365cd4224cb652d0790ac9dab846a676e10e146e25861c25941a5adbe71ed232ff9826189c250a21424b3ac12cf2a9a92e47cb870cffd31f66774d0ecca5331
SSDEEP

49152:uZm0/SR/6qlcjHAQhFF2g+X6JWj4JBhhK9bBPYtsN/hvWl6TWDwMYXECjG:uZf/SgqlcjgCFo6JW28b1IsN5vW8GMEf

Score

10^/10

trojan bazaloader

Malware Config

Signatures

Bazaloader family
bazaloader

Detects BazaLoader malware 1 IoCs

BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.

trojan

Processes:

resource	yara_rule
static1/unpack001/svchost_dump_SCY - Copy.bin	BazaLoader

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
unpack001/svchost_dump_SCY - Copy.bin

Files

svchost_dump_SCY - Copy.bin.zip
.zip

Password: infected
svchost_dump_SCY - Copy.bin
.exe windows:6 windows x64 arch:x64

Password: infected

a36c1890ad00c18dd7657e5d32beb26c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegGetValueA

kernel32

GetModuleFileNameW
K32GetModuleFileNameExW
SetThreadPriority
CreatePipe
GetTempPathW
lstrlenA
CreateMutexA
GetVolumeInformationA
WaitForSingleObject
CreateFileW
ReleaseMutex
lstrcatA
GetModuleHandleA
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetModuleHandleExA
GetLastError
Process32NextW
CreateFileA
GetCurrentThread
TerminateProcess
lstrcatW
DeleteFileA
lstrcpyA
Process32FirstW
CloseHandle
GetNativeSystemInfo
CreateThread
GetWindowsDirectoryA
HeapAlloc
GetWindowsDirectoryW
GetProcAddress
ExitProcess
GetProcessHeap
CreateProcessW
FreeLibrary
CopyFileW
WinExec
GetTempFileNameW
CreateProcessA
IsBadReadPtr
QueryPerformanceCounter
SetUnhandledExceptionFilter
HeapSize
FlushFileBuffers
VirtualAlloc
WriteFile
GetCurrentProcess
VirtualFree
SetLastError
HeapFree
VirtualProtect
GetModuleFileNameA
ReadFile
LoadLibraryA
CreateDirectoryW
GetStringTypeW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
WriteConsoleW
FindClose
GetTimeZoneInformation
SetFilePointerEx
SetStdHandle
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleOutputCP
WideCharToMultiByte
HeapReAlloc
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
RtlUnwindEx
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
RaiseException
GetModuleHandleExW
GetFileType
GetStdHandle
MultiByteToWideChar

shell32

ShellExecuteExW

shlwapi

StrStrIW
StrStrIA

secur32

GetUserNameExA

wininet

HttpQueryInfoA
HttpOpenRequestA
InternetOpenUrlA
InternetSetOptionA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetConnectA
InternetReadFile

ws2_32

__WSAFDIsSet
closesocket
WSAGetLastError
setsockopt
ioctlsocket
htons
getsockopt
recv
connect
socket
WSACleanup
WSAStartup
send
inet_addr
select

Sections

.text
Size: 166KB - Virtual size: 168KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 65KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4.9MB - Virtual size: 6.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

IDATA
Size: 7KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.SCY
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Resubmissions

Sharing

General

Malware Config

Signatures

Files

Password: infected

Password: infected

a36c1890ad00c18dd7657e5d32beb26c

Headers

File Characteristics

Imports

advapi32

kernel32

shell32

shlwapi

secur32

wininet

ws2_32

Sections

.text Size: 166KB - Virtual size: 168KB

.rdata Size: 65KB - Virtual size: 68KB

.data Size: 4.9MB - Virtual size: 6.0MB

.pdata Size: 8KB - Virtual size: 8KB

IDATA Size: 7KB - Virtual size: 12KB

.SCY Size: 4KB - Virtual size: 4KB

.text
Size: 166KB - Virtual size: 168KB

.rdata
Size: 65KB - Virtual size: 68KB

.data
Size: 4.9MB - Virtual size: 6.0MB

.pdata
Size: 8KB - Virtual size: 8KB

IDATA
Size: 7KB - Virtual size: 12KB

.SCY
Size: 4KB - Virtual size: 4KB