MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460
SHA3-384 hash: 0b8d6621acde3e0b8bf88c9be6edde10ce0d62eda0afdcbc053947987bbe447a8239baa32f896ccf7ca3d3ff629f2050
SHA1 hash: a0239f4d7780bdf251bc93c8073dc3c94839b09f
MD5 hash: 684c5d861f1323d2a808e1f74f4e1ff8
humanhash: twenty-carbon-quiet-apart
File name:684c5d861f1323d2a808e1f74f4e1ff8.exe
Download: download sample
Signature BazarCall
Create hunting rule
File size:491'124 bytes
First seen:2021-02-25 10:51:32 UTC
Last seen:2021-02-25 12:58:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash bbe89b40df179fc937bf9b351165c953 (2 x BazarCall)
ssdeep 12288:pmUY1bSkxsWB2pyK8jk1NpJbtcTnSVNe6CV/0WHGowvQd:pRYhSw68A/bbtqSVNe6c0X
Threatray 5 similar samples on MalwareBazaar
TLSH 7FA473C9A42170FCC72F6270333EB988DDB276F85E405C8DD4B527A68FE26554B38A19
Reporter abuse_ch
Tags:BazarCall exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
139
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
684c5d861f1323d2a808e1f74f4e1ff8.exe
Verdict:
No threats detected
Analysis date:
2021-02-25 10:57:09 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b1cfcd87-7db6-4de4-8184-bc0123f6bc8b

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
BazaLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/119198/
Detection(s):
SecuriteInfo.com.Variant.Razy.847588.29216.18451.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/618610
Signature
Changes memory attributes in foreign processes to executable or writable
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected Bazar Loader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460/
Threat name:
Win64.Backdoor.Bazarloader
Create hunting rule
Status:
Malicious
First seen:
2021-02-25 10:52:09 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qkv62hidpyug7mkh2h7rhk3ubpbtrxb6x5iu4dre24t6qtfsurqa._file
Verdict:
malicious
Similar samples:
03be30bf83c48de2fc11174179c6b466cde149f2af7032dbc8bf2036a12b0e1a
BazarCall
5b7418517d962f6a77dedf03d99cf637fd0e202bcab8fa26441461a68b8d7cd2
BazarCall
be41dee9f9b806f5932a9ed56c841d884f4d7f8dafcdd20b4debfe82cc4898d4
BazarCall
ccea3ec883dbebf01bf405a8191e375dcdad2ab03b4601bd34b5261a3acf3fea
BazarCall
ea0ce50f66a640eea126b60be3a15f0c0295f07c227e4ef5d68ac043063ce9c3
BazarCall
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210225-xcdc3mjl9a/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460
MD5 hash:
684c5d861f1323d2a808e1f74f4e1ff8
SHA1 hash:
a0239f4d7780bdf251bc93c8073dc3c94839b09f
Link:
https://www.unpac.me/results/cfd9f21e-169f-4bfb-acab-d9f9b1f026f2/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe 82abed1d037e286fb147d1ff13ab740bc338dc3ebf514e0e24d727e84cb2a460

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1028014/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/119198/

Comments