bazaloader | svchost_dump_SCY - Copy[.]exe

Target

svchost_dump_SCY - Copy.exe
Size

5.2MB
MD5

5fd3d21a968f4b8a1577b5405ab1c36a
SHA1

710e5ab0fceb71b982b966c3a7406ebdf1d2aa82
SHA256

7ac7b42889e14cbd8c7cebe692566ca045d0034f9ff103fc3ef9c5e035dc594f
SHA512

085a31c0412ba0a3d612a66ec8d95ce900e148240f92f9ec8c4d07b6c8e32cf233e92aefc7b4b53a91f5eacacd1cf3a8fcdf8cd7c206afa46014a9e4a9ddf53f
SSDEEP

98304:jgoX+R+gW1CkQFBAFGspWvuL136BRiGQiiyBrDbnh57cpbJLyns:coXxFGWL56BVrDbn77cjIs

Score

10^/10

trojan bazaloader

Malware Config

Signatures

Bazaloader family
bazaloader
Detects BazaLoader malware 1 IoCs
BazaLoader is a trojan that transmits logs to the Command and Control (C2) server, encoding them in BASE64 format through GET requests.
trojan

Processes:

resource yara_rule

sample BazaLoader
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.

Processes:

resource

svchost_dump_SCY - Copy.exe

resource	yara_rule
sample	BazaLoader

resource
svchost_dump_SCY - Copy.exe

Files

svchost_dump_SCY - Copy.exe
.exe windows:6 windows x64 arch:x64

a36c1890ad00c18dd7657e5d32beb26c

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

advapi32

RegGetValueA

kernel32

GetModuleFileNameW
K32GetModuleFileNameExW
SetThreadPriority
CreatePipe
GetTempPathW
lstrlenA
CreateMutexA
GetVolumeInformationA
WaitForSingleObject
CreateFileW
ReleaseMutex
lstrcatA
GetModuleHandleA
OpenProcess
CreateToolhelp32Snapshot
Sleep
GetModuleHandleExA
GetLastError
Process32NextW
CreateFileA
GetCurrentThread
TerminateProcess
lstrcatW
DeleteFileA
lstrcpyA
Process32FirstW
CloseHandle
GetNativeSystemInfo
CreateThread
GetWindowsDirectoryA
HeapAlloc
GetWindowsDirectoryW
GetProcAddress
ExitProcess
GetProcessHeap
CreateProcessW
FreeLibrary
CopyFileW
WinExec
GetTempFileNameW
CreateProcessA
IsBadReadPtr
QueryPerformanceCounter
SetUnhandledExceptionFilter
HeapSize
FlushFileBuffers
VirtualAlloc
WriteFile
GetCurrentProcess
VirtualFree
SetLastError
HeapFree
VirtualProtect
GetModuleFileNameA
ReadFile
LoadLibraryA
CreateDirectoryW
GetStringTypeW
SetEnvironmentVariableW
FreeEnvironmentStringsW
GetEnvironmentStringsW
GetCommandLineW
GetCommandLineA
GetCPInfo
GetOEMCP
GetACP
IsValidCodePage
FindNextFileW
FindFirstFileExW
WriteConsoleW
FindClose
GetTimeZoneInformation
SetFilePointerEx
SetStdHandle
LCMapStringW
CompareStringW
GetTimeFormatW
GetDateFormatW
GetConsoleMode
GetConsoleOutputCP
WideCharToMultiByte
HeapReAlloc
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
IsDebuggerPresent
UnhandledExceptionFilter
GetStartupInfoW
IsProcessorFeaturePresent
GetModuleHandleW
RtlUnwindEx
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
LoadLibraryExW
RaiseException
GetModuleHandleExW
GetFileType
GetStdHandle
MultiByteToWideChar

shell32

ShellExecuteExW

shlwapi

StrStrIW
StrStrIA

secur32

GetUserNameExA

wininet

HttpQueryInfoA
HttpOpenRequestA
InternetOpenUrlA
InternetSetOptionA
InternetOpenA
InternetCloseHandle
HttpSendRequestA
InternetConnectA
InternetReadFile

ws2_32

__WSAFDIsSet
closesocket
WSAGetLastError
setsockopt
ioctlsocket
htons
getsockopt
recv
connect
socket
WSACleanup
WSAStartup
send
inet_addr
select

Sections

.text
Size: 166KB - Virtual size: 168KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 65KB - Virtual size: 68KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.data
Size: 4.9MB - Virtual size: 6.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 8KB - Virtual size: 8KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

IDATA
Size: 7KB - Virtual size: 12KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.SCY
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Resubmissions

Sharing

General

Malware Config

Signatures

Files

a36c1890ad00c18dd7657e5d32beb26c

Headers

File Characteristics

Imports

advapi32

kernel32

shell32

shlwapi

secur32

wininet

ws2_32

Sections

.text Size: 166KB - Virtual size: 168KB

.rdata Size: 65KB - Virtual size: 68KB

.data Size: 4.9MB - Virtual size: 6.0MB

.pdata Size: 8KB - Virtual size: 8KB

IDATA Size: 7KB - Virtual size: 12KB

.SCY Size: 4KB - Virtual size: 4KB

.text
Size: 166KB - Virtual size: 168KB

.rdata
Size: 65KB - Virtual size: 68KB

.data
Size: 4.9MB - Virtual size: 6.0MB

.pdata
Size: 8KB - Virtual size: 8KB

IDATA
Size: 7KB - Virtual size: 12KB

.SCY
Size: 4KB - Virtual size: 4KB