MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazarCall

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95
SHA3-384 hash:	e042100ba750f83ca83f12edb4cc508f23d751551428f337146edb813207379c8b4fbde252f086e6b6aa2b996154aaf7
SHA1 hash:	eb28bbe0edabb9ee646fe84d444dc90dc8b1cf74
MD5 hash:	156f62525b7fa5212b9fd44eda731467
humanhash:	uncle-neptune-king-pennsylvania
File name:	156f62525b7fa5212b9fd44eda731467.exe
Download:	download sample
Signature	BazarCall Create hunting rule
File size:	721'408 bytes
First seen:	2021-03-24 16:59:14 UTC
Last seen:	2021-04-01 03:27:09 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	582a58d6ce8027e91efee1849f02f4a2 (1 x BazarCall)
ssdeep	12288:xsvDDGdVY6gCbYvW629awwhfPnZcBFUcNrh/kIoyHs6koK6bkqbQJPWgL7JyJ+im:xsbCdQ3pn2B+cfsrL61Nbkq1o7y+itk
TLSH	64E4BE91F7A847E4E4678139C657C603E7B2340107A49ADF52908BBE2F637E24D3B729
Reporter	abuse_ch
Tags:	BazarCall exe

Intelligence

File Origin

# of uploads :

# of downloads :

142

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

156f62525b7fa5212b9fd44eda731467.exe

Verdict:

No threats detected

Analysis date:

2021-03-24 21:13:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/2a75e3dc-8555-4e22-bdec-ab3f767a48fb

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection(s):

SecuriteInfo.com.StaticAI-SuspiciousPE.28966.31317.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% directory

Deleting a recently created file

Transferring files using the Background Intelligent Transfer Service (BITS)

Sending a custom TCP request

DNS request

Launching a process

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

expl.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/652668

Signature

Allocates memory in foreign processes

Contains functionality to detect sleep reduction / modifications

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Locky time evasion found (measures execution of CloseHandle and GetProcessHeap)

Machine Learning detection for sample

Modifies the context of a thread in another process (thread injection)

Potentially malicious time measurement code found

Sample uses process hollowing technique

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2021-03-24 17:00:16 UTC

AV detection:

12 of 48 (25.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddmusxuh7r5df23tfcknqe5k3xwojewybzkdoxn7csp3gbkt5kkq._file

Verdict:

unknown

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210324-sr3vc15ren/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Unpacked files

SH256 hash:

18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95

MD5 hash:

156f62525b7fa5212b9fd44eda731467

SHA1 hash:

eb28bbe0edabb9ee646fe84d444dc90dc8b1cf74

Link:

https://www.unpac.me/results/cdf598fc-a4f0-41e7-b6d7-4ee3ab55281d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

exe 18d9495e87fc7a32eb732894d813aaddece492d80e54375dbf149fb30553ea95

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/1088605/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1090333/

URLhaus

https://urlhaus.abuse.ch/url/1090348/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample