MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
SHA3-384 hash: 031226452e147deb47d472c12a50e10f86865f9492142de177a36b25739159aae725ac3178d260538ba87201d28555e5
SHA1 hash: 8fa41ac76c9f40e738fd42025144c7d55969ab79
MD5 hash: ffdff96a587983deae1c67bb1299b004
humanhash: music-bravo-butter-uniform
File name:huqgk.exe
Download: download sample
Signature BazarCall
Create hunting rule
File size:167'936 bytes
First seen:2021-04-08 16:30:05 UTC
Last seen:2021-04-08 23:09:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bf8338aa9f07a8242c78c62743e9832c (1 x BazarCall)
ssdeep 3072:WsuSnuXytaiXqILGXV/Lao5nekWoTwfAixq3C:fuSnuXyDGXVTao4kWZpxqy
Threatray 128 similar samples on MalwareBazaar
TLSH 7FF36B41F10184EAE776E1361B90906DF69A7C2E6D37EE46E2217F542B396E02DF870C
Reporter malware_traffic
Tags:bazacall BazaLoader BazarCall BazarLoader exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
295
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
huqgk.exe
Verdict:
No threats detected
Analysis date:
2021-04-08 16:36:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/24d2bc3e-973e-4a4c-a609-a03645c6f4bb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/133261/
Detection(s):
SecuriteInfo.com.Variant.Razy.859016.17325.10533.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a process with a hidden window
Launching a process
Sending a UDP request
Running batch commands
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/0eb900b1-1302-49db-82a1-df596c5f2409
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/670518
Signature
Creates multiple autostart registry keys
Detected Bazar Loader
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 384203 Sample: huqgk.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 80 66 bcfhikbkhhin.bazar 2->66 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Detected Bazar Loader 2->78 80 Yara detected Bazar Loader 2->80 12 huqgk.exe 2->12         started        14 cmd.exe 1 2->14         started        17 cmd.exe 1 2->17         started        19 X2DF602.exe 2->19         started        signatures3 process4 signatures5 21 cmd.exe 1 12->21         started        94 Uses cmd line tools excessively to alter registry or file data 14->94 25 reg.exe 1 1 14->25         started        27 X2DF602.exe 14->27         started        29 conhost.exe 14->29         started        31 X2DF602.exe 17->31         started        33 conhost.exe 17->33         started        35 reg.exe 1 17->35         started        process6 dnsIp7 68 8.8.7.7 GOOGLEUS United States 21->68 82 Uses ping.exe to sleep 21->82 84 Uses cmd line tools excessively to alter registry or file data 21->84 86 Uses ping.exe to check the status of other devices and networks 21->86 37 huqgk.exe 1 21->37         started        40 conhost.exe 21->40         started        42 PING.EXE 1 21->42         started        88 Creates multiple autostart registry keys 25->88 signatures8 process9 file10 64 C:\Users\user\AppData\Local\...\X2DF602.exe, PE32+ 37->64 dropped 44 cmd.exe 1 37->44         started        process11 signatures12 92 Uses ping.exe to sleep 44->92 47 X2DF602.exe 1 44->47         started        50 conhost.exe 44->50         started        52 PING.EXE 1 44->52         started        process13 signatures14 96 Detected Bazar Loader 47->96 98 Creates multiple autostart registry keys 47->98 54 cmd.exe 1 47->54         started        process15 signatures16 90 Uses ping.exe to sleep 54->90 57 X2DF602.exe 54->57         started        60 conhost.exe 54->60         started        62 PING.EXE 1 54->62         started        process17 dnsIp18 70 54.202.57.165, 443, 49719 AMAZON-02US United States 57->70 72 54.218.223.26, 443, 49717 AMAZON-02US United States 57->72 74 11 other IPs or domains 57->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959/
Threat name:
Win64.Trojan.Zenpak
Create hunting rule
Status:
Malicious
First seen:
2021-04-08 16:32:36 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=knwrue27n4fjxqzxccfcwegoqfivyw6cnnsu5spy4s26kpigzfmq._file
Verdict:
malicious
Similar samples:
0fb8a792dd48796bac2d508c1928aa539ced639ea99a5e2c9d6e2be5a7e82d43
BazarCall
172dcb63c1df471b850a8ce06fbe8343cf82de322f2944f686a682c3793d2c03
BazarCall
19be41bf3f9577db880b196816a2f1f7b5cb07beb2c1ee80ff813d30d0881617
BazarCall
1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631
BazarCall
1d921a846347be4c8cefbbf0449a40710408ecccf5cbbf99a0f8e41acb78881e
BazarCall
3483f717d6c9b903413aa6e1a66f771db14ff7563c4d81ec5b761f50aeea0ea2
BazarCall
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazarCall
c8768444c9e489989a6610537ecb1bc204216e0b0880079e6d9e561e56dc60a8
BazarCall
da64fd26d75960fad54e08303b805dfe4e050c5faea0737ed56cfc6d05af6b88
BazarCall
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazarCall
+ 118 additional samples on MalwareBazaar
Result
Malware family:
bazarloader
Create hunting rule
Score:
  10/10
Tags:
family:bazarloader dropper loader persistence
Link:
https://tria.ge/reports/210408-e31lf37ae6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Executes dropped EXE
Bazar/Team9 Loader payload
Bazar Loader
Unpacked files
SH256 hash:
536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959
MD5 hash:
ffdff96a587983deae1c67bb1299b004
SHA1 hash:
8fa41ac76c9f40e738fd42025144c7d55969ab79
Link:
https://www.unpac.me/results/f8e0eafd-0b0f-4ec2-9d58-2df8e0d4afe5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.96
Link:
https://yomi.yoroi.company/submissions/536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe 536d1a135f6f0a9bc337108a2b10ce81515c5bc26b654ec9f8e4b5e53d06c959

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/133261/
  
URLhaus
https://urlhaus.abuse.ch/url/1104683/
  
Delivery method
Distributed via web download

Comments