MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9
SHA3-384 hash: 24dbe6984fd4541e26fa16efce8566edfa3a4c282abceb7a43aa06a840d186b6ee21163c96aa70a76064f44945d4cbf4
SHA1 hash: da402745f91080dc055627a5f87018945f265da6
MD5 hash: 54367f8ed2670f3737cd8a60030f17bd
humanhash: autumn-sweet-venus-mike
File name:o2.exe
Download: download sample
Signature BazarCall
Create hunting rule
File size:625'152 bytes
First seen:2021-03-25 15:14:43 UTC
Last seen:2021-03-25 16:37:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash d85bb1877b8e0a753682aad6974a133d (1 x BazarCall)
ssdeep 12288:z2F0seTiE7HfbStsqD8EJ8tue8wp8qfcDyDci:zI6iE7HRqDr8txWq0WD7
Threatray 90 similar samples on MalwareBazaar
TLSH 61D4BE97B3A48DB5E823D23AC9928749EAB37C305731D3CB5240971E6E376E15D3A321
Reporter lazyactivist192
Tags:BazaLoader BazarCall BazarLoader campo

Intelligence

File Origin
# of uploads :
2
# of downloads :
199
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
o2.exe
Verdict:
No threats detected
Analysis date:
2021-03-25 15:30:54 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8b858305-43b0-4909-afe6-1bb8dc43fada

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.TrojanDropper.Sysn.fyj.21527.20053.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Changing a file
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/654130
Signature
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9/
Threat name:
Win64.Trojan.Bazar
Create hunting rule
Status:
Malicious
First seen:
2021-03-25 15:15:07 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=aylgowyivupzqbx5clbfgl5eeq5vf4bomfoaey2b4dyyhxvlyxuq._file
Verdict:
malicious
Similar samples:
1d921a846347be4c8cefbbf0449a40710408ecccf5cbbf99a0f8e41acb78881e
BazarCall
2d757d0aec33330845fa2e2505e403b5a5718b96cb46162326a65e83607b9f27
BazarCall
3d0bb4ced472475c673c082e2cc9a1708159eefab5ae6863992f8a6696e1ae14
BazarCall
3e48c6326181bf9fe5cb074a0c7dc955a3e5d23c9f77195e319cf88cafdab447
BazarCall
6e3135f2b19b776522d8ea589f676d6b707eeaf112c77d88923caf15bf98eff5
BazarCall
73bb27d72c97502d1c865e8d92870cac41c68e00f00084f6cc8de6bc43275a5b
BazarCall
9a9e207e67103ebf90b1a54d5510cb458cd6355279e6ba86e8d182fa767d9613
BazarCall
9c3cfeccfffba1fe5b1b69a5784e3d2832a35aebd0998efb48877ae766708691
BazarCall
ac696ef5a12039b72e408b6b14e08823c407ee652a6a36b7c33d01cd8d373497
BazarCall
bcea99b1ec6fa52fec60589878c451266f260a8b4e2d8c85d700b3d24e0dce4b
BazarCall
+ 80 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210325-tvhznz21lx/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9
MD5 hash:
54367f8ed2670f3737cd8a60030f17bd
SHA1 hash:
da402745f91080dc055627a5f87018945f265da6
Link:
https://www.unpac.me/results/22d895c2-8fd1-4b0e-be33-83d605a5a25f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Cobalt_functions
Create hunting rule
Author:@j0sm1
Description:Detect functions coded with ROR edi,D; Detect CobaltStrike used by differents groups APT
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe 0616675b08ad1f9806fd12c2532fa4243b52f02e615c026341e0f183deabc5e9

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1091182/
  
Delivery method
Distributed via web download

Comments