MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48
SHA3-384 hash: 4a921a5089d3a75487b559536ad385af7d1ddef6ede03b817275ee52cf4a0854abb63e4175ece306e6709a68bb995764
SHA1 hash: 2ed911ed9694dc1fbc6940190b6dd8c9684a6594
MD5 hash: 588a3f2c94dde4650de944d6ceb90b81
humanhash: vermont-crazy-wyoming-mango
File name:588a3f2c94dde4650de944d6ceb90b81.dll
Download: download sample
Signature BazarCall
Create hunting rule
File size:826'368 bytes
First seen:2021-03-27 07:12:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 062b494b9d22c66b49df304059847b38 (1 x BazarCall)
ssdeep 12288:BSGLvh4/rWduiactQS6W0ff+I/jcdyIwkcd3j1NX:BvherLiacuS6W0J/Iwk2BN
Threatray 173 similar samples on MalwareBazaar
TLSH B6056B51F2F483B4D06FD27AC9928B5AEB723850973196CB92419B1D2F732E15F3A321
Reporter abuse_ch
Tags:BazarCall dll

Intelligence

File Origin
# of uploads :
1
# of downloads :
241
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
588a3f2c94dde4650de944d6ceb90b81.dll
Verdict:
No threats detected
Analysis date:
2021-03-27 07:13:37 UTC
Tags:
installer
Link:
https://app.any.run/tasks/8530fba1-fbe2-487a-83d9-f80953c7511b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/127242/
Detection(s):
SecuriteInfo.com.Trojan.Malware.121218.susgen.23157.20879.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/82c15ecf-6c80-49fa-94d3-856813eb8dff
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/655797
Signature
Allocates memory in foreign processes
Creates an autostart registry key pointing to binary in C:\Windows
Injects a PE file into a foreign processes
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for submitted file
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 376835 Sample: XLhw6JGwC0.dll Startdate: 27/03/2021 Architecture: WINDOWS Score: 100 93 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 Yara detected Bazar Loader 2->97 12 loaddll64.exe 1 2->12         started        14 rundll32.exe 1 16 2->14         started        18 rundll32.exe 16 2->18         started        process3 dnsIp4 20 rundll32.exe 25 12->20         started        22 cmd.exe 1 12->22         started        25 rundll32.exe 16 12->25         started        85 3.8.31.96, 443, 49714 AMAZON-02US United States 14->85 87 192.168.2.1 unknown unknown 14->87 107 System process connects to network (likely due to code injection or exploit) 14->107 109 Writes to foreign memory regions 14->109 111 Allocates memory in foreign processes 14->111 113 3 other signatures 14->113 27 cmd.exe 1 14->27         started        signatures5 process6 dnsIp7 30 cmd.exe 1 20->30         started        99 Uses ping.exe to sleep 22->99 101 Uses ping.exe to check the status of other devices and networks 22->101 34 rundll32.exe 16 22->34         started        36 cmd.exe 1 25->36         started        83 18.202.19.161, 443, 49716, 49727 AMAZON-02US United States 27->83 38 conhost.exe 27->38         started        signatures8 process9 dnsIp10 89 8.8.7.7 GOOGLEUS United States 30->89 115 Uses ping.exe to sleep 30->115 40 rundll32.exe 17 30->40         started        43 conhost.exe 30->43         started        45 PING.EXE 1 30->45         started        47 cmd.exe 1 34->47         started        50 conhost.exe 36->50         started        52 PING.EXE 1 36->52         started        54 rundll32.exe 36->54         started        signatures11 process12 file13 81 C:\Users\user\AppData\Local\Temp\ZU4CF9.dll, PE32+ 40->81 dropped 56 cmd.exe 1 40->56         started        117 Uses ping.exe to sleep 47->117 59 conhost.exe 47->59         started        61 PING.EXE 1 47->61         started        63 rundll32.exe 47->63         started        signatures14 process15 signatures16 103 Uses ping.exe to sleep 56->103 65 rundll32.exe 1 16 56->65         started        68 conhost.exe 56->68         started        70 PING.EXE 1 56->70         started        process17 signatures18 91 Creates an autostart registry key pointing to binary in C:\Windows 65->91 72 cmd.exe 1 65->72         started        process19 signatures20 105 Uses ping.exe to sleep 72->105 75 rundll32.exe 16 72->75         started        77 conhost.exe 72->77         started        79 PING.EXE 1 72->79         started        process21
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48/
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cupftix4xewxidh5t6uwyhxloo7qnof33lsfqjqlix52j7robnea._file
Verdict:
malicious
Similar samples:
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazarCall
73bb27d72c97502d1c865e8d92870cac41c68e00f00084f6cc8de6bc43275a5b
BazarCall
889e728a55b58b3a124d38610a30ae07150f78ca900dbef4fc15120ea49ec593
BazarCall
bc6fa495ed90d846d0873b85a234b96d3d4bee7bb89dd47e02d02c0fb420725a
BazarCall
bd22fdab541d4517cbf4b96b1986cd370ffc2532392a5b1801c819f67099f9da
BazarCall
da64fd26d75960fad54e08303b805dfe4e050c5faea0737ed56cfc6d05af6b88
BazarCall
dbd56f0dc20aec5289e993087b32a9485ccea4ae9796c58c008eb946d7646a94
BazarCall
de307ecbfecca217a680cdee9e11f367b6b2f95e06c909d1aa0ef209f228ff63
BazarCall
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazarCall
f266bc35f9a52d2dc6e63fab03f8a6aab989639b9920e2afe5d2d4517340d3c9
BazarCall
+ 163 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210327-9b2navrpjn/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Blocklisted process makes network request
Unpacked files
SH256 hash:
151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48
MD5 hash:
588a3f2c94dde4650de944d6ceb90b81
SHA1 hash:
2ed911ed9694dc1fbc6940190b6dd8c9684a6594
Link:
https://www.unpac.me/results/2b18c629-f2b1-44dd-91d9-17229f7acf09/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe 151e59a2fcb92d740cfd9fa96c1eeb73bf06b8bbdae458260b45fba4fe2e0b48

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1093850/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/127242/

Comments