MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


BazarCall


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc
SHA3-384 hash: 4d15ca96408c5cfe5a5ce6e178f593cba021bd84f0dcf6e5e48130fd10e149bc8cf26ae7584cd5d8c24062d6e0323ecf
SHA1 hash: 932b0935d0b03dba5d12ddc85aef878e20986f47
MD5 hash: 5ab10b180aca215ff3af5ec0e0e00b87
humanhash: single-ohio-whiskey-kansas
File name:SecuriteInfo.com.generic.ml.17984.8271
Download: download sample
Signature BazarCall
Create hunting rule
File size:401'920 bytes
First seen:2021-03-22 23:31:04 UTC
Last seen:2021-04-01 03:28:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9aaa3e3eed44343463e328e78988f290 (1 x BazarCall)
ssdeep 6144:tYeXsc8j7QUp4g/nWriB412fGzktXGBp3IFMunPd2TBdRTi+urG2WgC9fVw2EU4j:j6GBSMun12TxTibraHzs+j01Fa
Threatray 117 similar samples on MalwareBazaar
TLSH 8F849D6ABA551CF1E9BB813AC981291AB67234124771DBCF825417970F63BE0FD3EB40
Reporter SecuriteInfoCom
Tags:BazarCall

Intelligence

File Origin
# of uploads :
3
# of downloads :
187
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/126386/
Detection(s):
SecuriteInfo.com.generic.ml.17984.8271.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Gathering data
Result
Threat name:
Bazar Loader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/649088
Signature
Creates multiple autostart registry keys
Detected Bazar Loader
Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 373510 Sample: SecuriteInfo.com.generic.ml... Startdate: 23/03/2021 Architecture: WINDOWS Score: 96 66 bcfhikblhhin.bazar 2->66 76 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->76 78 Multi AV Scanner detection for submitted file 2->78 80 Detected Bazar Loader 2->80 12 SecuriteInfo.com.generic.ml.17984.exe 2->12         started        15 cmd.exe 1 2->15         started        17 cmd.exe 1 2->17         started        19 2 other processes 2->19 signatures3 process4 signatures5 92 Detected unpacking (creates a PE file in dynamic memory) 12->92 21 cmd.exe 1 12->21         started        94 Uses cmd line tools excessively to alter registry or file data 15->94 25 reg.exe 1 1 15->25         started        27 S0PCF2F.exe 15->27         started        29 conhost.exe 15->29         started        31 S0PCF2F.exe 17->31         started        33 conhost.exe 17->33         started        35 reg.exe 1 17->35         started        process6 dnsIp7 68 8.8.7.7 GOOGLEUS United States 21->68 82 Uses ping.exe to sleep 21->82 84 Uses cmd line tools excessively to alter registry or file data 21->84 86 Uses ping.exe to check the status of other devices and networks 21->86 37 SecuriteInfo.com.generic.ml.17984.exe 1 21->37         started        40 conhost.exe 21->40         started        42 PING.EXE 1 21->42         started        88 Creates multiple autostart registry keys 25->88 signatures8 process9 file10 64 C:\Users\user\AppData\Local\...\S0PCF2F.exe, PE32+ 37->64 dropped 44 cmd.exe 1 37->44         started        process11 signatures12 96 Uses ping.exe to sleep 44->96 47 S0PCF2F.exe 1 44->47         started        50 conhost.exe 44->50         started        52 PING.EXE 1 44->52         started        process13 signatures14 98 Multi AV Scanner detection for dropped file 47->98 100 Detected Bazar Loader 47->100 102 Detected unpacking (creates a PE file in dynamic memory) 47->102 104 Creates multiple autostart registry keys 47->104 54 cmd.exe 1 47->54         started        process15 signatures16 90 Uses ping.exe to sleep 54->90 57 S0PCF2F.exe 54->57         started        60 conhost.exe 54->60         started        62 PING.EXE 1 54->62         started        process17 dnsIp18 70 34.219.157.178, 443, 49716 AMAZON-02US United States 57->70 72 35.166.81.240, 443, 49714 AMAZON-02US United States 57->72 74 9 other IPs or domains 57->74
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc/
Threat name:
Win64.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-03-22 22:21:57 UTC
AV detection:
9 of 29 (31.03%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpqmbabxv45g6hxf7ak4brmnhrq2vdccodwugkbzq4wq5j2ywg6a._file
Verdict:
malicious
Similar samples:
1d25dcba3d5639e4275035eaab8f392fbd8e1c312aa3410da467e563223eef2d
BazarCall
26729effad95a8719e8716cb65aa5d5eb1ab255d4782f0d19471c1be963cffad
BazarCall
3483f717d6c9b903413aa6e1a66f771db14ff7563c4d81ec5b761f50aeea0ea2
BazarCall
461e6f9d0bff2b46c77cb78d2d885570b4f75a5b3b9d6ed9b01193970ccf24d1
BazarCall
624a74c9469e95f404baebd07a8c563baa38e752d391bca5e8894dbc87186388
BazarCall
64bb301a1ef092d05ce99b282df5d6967b01a4598c292d14608137a180ecaece
BazarCall
8a0fbcde56a9a817c10b0fe5ae281f75385c2a28ca271d736484e689c104e96c
BazarCall
d362c83e5a6701f9ae70c16063d743ea9fe6983d0c2b9aa2c2accf2d8ba5cb38
BazarCall
e6f0206d99bc279a062e055582e2c452500d7067968e9de186d7d78ed158271d
BazarCall
e99a54ca11fd5e27c5085c24304103a348fa2a550ea1fa934fca541551c511d6
BazarCall
+ 107 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/210322-efxryg4xx6/
Behaviour
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Unpacked files
SH256 hash:
abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc
MD5 hash:
5ab10b180aca215ff3af5ec0e0e00b87
SHA1 hash:
932b0935d0b03dba5d12ddc85aef878e20986f47
Link:
https://www.unpac.me/results/fceecd36-c287-4110-acfa-e3a23f756412/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

Executable exe abe0c08037af3a6f1ee5f815c0c58d3c61aa8c4270ed432839872d0ea758b1bc

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1084702/
  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1084703/
  
URLhaus
https://urlhaus.abuse.ch/url/1084705/
  
URLhaus
https://urlhaus.abuse.ch/url/1084712/
  
URLhaus
https://urlhaus.abuse.ch/url/1084732/
  
URLhaus
https://urlhaus.abuse.ch/url/1084777/
Cape
Cape
https://www.capesandbox.com/analysis/126386/

Comments