MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece
SHA3-384 hash: a519766aab63778125cb48309e7e1ac9912b23596dae6f01cf3a9a43422ff9bb3413a1bd4d259106931d61daee472d45
SHA1 hash: 97628ead21544a7b7a065df10c2829207b5c4911
MD5 hash: 3b741d6798735efdae2d18c80716ee4b
humanhash: happy-north-bulldog-lithium
File name:fkt.exe
Download: download sample
Signature BazarCall
Create hunting rule
File size:333'312 bytes
First seen:2021-03-19 15:16:35 UTC
Last seen:2021-03-25 12:38:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7babf25e4ed6abf9b92ec07e1cf261dd (1 x BazarCall, 1 x BazaLoader)
ssdeep 6144:FK5opSaFD8d2KXgPLxLNIafPHBfXbMd0xbh/8N9FFxeOTSsJKalmTT:k5oprFD8d2vwoHBvgd0xo9fxs+H
Threatray 112 similar samples on MalwareBazaar
TLSH 0F64BF78B6502CE5EE7F427FC9926C99637239128B97DC8E8064A7D30E63371EE16D04
Reporter lazyactivist192
Tags:BazaLoader BazarCall campo exe


Avatar
lazyactivist192
Delivered by bazarcall distro.

Intelligence

File Origin
# of uploads :
3
# of downloads :
238
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
fkt.exe
Verdict:
No threats detected
Analysis date:
2021-03-19 15:25:30 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9613bd2d-8406-448a-b3b4-5d609d24b164

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125678/
Detection(s):
SecuriteInfo.com.Program.Win32.Wacapew.Cml.12314.32476.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
BazarBackdoor
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6c3cf766-761c-4a35-a5f2-1410f06583f5
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/646338
Signature
Allocates memory in foreign processes
Contains functionality to inject code into remote processes
Creates multiple autostart registry keys
Injects a PE file into a foreign processes
May check the online IP address of the machine
Modifies the context of a thread in another process (thread injection)
Performs a network lookup / discovery via net view
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 372134 Sample: fkt.exe Startdate: 19/03/2021 Architecture: WINDOWS Score: 100 77 myexternalip.com 2->77 87 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->87 89 May check the online IP address of the machine 2->89 15 fkt.exe 2->15         started        18 cmd.exe 1 2->18         started        20 cmd.exe 1 2->20         started        22 2 other processes 2->22 signatures3 process4 signatures5 115 Contains functionality to inject code into remote processes 15->115 24 cmd.exe 1 15->24         started        117 Uses cmd line tools excessively to alter registry or file data 18->117 28 reg.exe 1 1 18->28         started        30 conhost.exe 18->30         started        32 conhost.exe 20->32         started        34 reg.exe 1 20->34         started        process6 dnsIp7 81 8.8.7.7 GOOGLEUS United States 24->81 101 Uses ping.exe to sleep 24->101 103 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->103 105 Uses cmd line tools excessively to alter registry or file data 24->105 109 3 other signatures 24->109 36 fkt.exe 24->36         started        38 conhost.exe 24->38         started        40 PING.EXE 1 24->40         started        107 Creates multiple autostart registry keys 28->107 signatures8 process9 process10 42 cmd.exe 1 36->42         started        signatures11 111 Uses ping.exe to sleep 42->111 45 fkt.exe 1 42->45         started        48 conhost.exe 42->48         started        50 PING.EXE 1 42->50         started        process12 signatures13 113 Creates multiple autostart registry keys 45->113 52 cmd.exe 1 45->52         started        process14 signatures15 91 Uses ping.exe to sleep 52->91 55 fkt.exe 1 52->55         started        59 conhost.exe 52->59         started        61 PING.EXE 1 52->61         started        process16 dnsIp17 79 18.223.166.214, 443, 49704 AMAZON-02US United States 55->79 93 Writes to foreign memory regions 55->93 95 Allocates memory in foreign processes 55->95 97 Modifies the context of a thread in another process (thread injection) 55->97 99 2 other signatures 55->99 63 cmd.exe 1 55->63         started        signatures18 process19 dnsIp20 83 54.159.186.190, 443, 49706, 49709 AMAZON-AESUS United States 63->83 66 cmd.exe 1 63->66         started        69 cmd.exe 1 63->69         started        71 cmd.exe 1 63->71         started        73 2 other processes 63->73 process21 signatures22 85 Performs a network lookup / discovery via net view 66->85 75 powershell.exe 13 69->75         started        process23
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece/
Threat name:
Win64.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2021-03-19 15:17:07 UTC
AV detection:
8 of 28 (28.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ms5tagq66cjnaxhjtmuc35owsz5qdjczrqus2fdaqe32dahmv3ha._file
Verdict:
unknown
Similar samples:
0fb8a792dd48796bac2d508c1928aa539ced639ea99a5e2c9d6e2be5a7e82d43
BazarCall
1a11f48cbdd0a8f256f4940d8e8dcf0ead80cbfdb6d6dd87c8b9b945c4051631
BazarCall
3483f717d6c9b903413aa6e1a66f771db14ff7563c4d81ec5b761f50aeea0ea2
BazarCall
3c91963b604f32bb0fb91c2dc8771cfb86ef5ecbebb145e3515bdf5779972455
BazarCall
889e728a55b58b3a124d38610a30ae07150f78ca900dbef4fc15120ea49ec593
BazarCall
8a0fbcde56a9a817c10b0fe5ae281f75385c2a28ca271d736484e689c104e96c
BazarCall
8e244f1a5b4653d6dbb4cc3978c7dd773b227a443361fbc30265b79f102f7eed
BazarCall
bc6fa495ed90d846d0873b85a234b96d3d4bee7bb89dd47e02d02c0fb420725a
BazarCall
dbd56f0dc20aec5289e993087b32a9485ccea4ae9796c58c008eb946d7646a94
BazarCall
de307ecbfecca217a680cdee9e11f367b6b2f95e06c909d1aa0ef209f228ff63
BazarCall
+ 102 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210319-6p33378f52/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece
MD5 hash:
3b741d6798735efdae2d18c80716ee4b
SHA1 hash:
97628ead21544a7b7a065df10c2829207b5c4911
Link:
https://www.unpac.me/results/b08863af-ce75-45da-a77d-5ac365c7dc01/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe 64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1077473/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/125678/

Comments