MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

BazarCall

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70
SHA3-384 hash:	4aad794d9dd2287fe3d1288becce64d58c40ce3aea30d08447abb49f205d5341942958810bdcf6f1562ad620146788ee
SHA1 hash:	495bdcb4c36c150f23c7e6156cc1486586e26b17
MD5 hash:	46bb7c8edade2a3cafb4e69bf3c64bcd
humanhash:	fourteen-papa-eleven-wolfram
File name:	46bb7c8edade2a3cafb4e69bf3c64bcd.exe
Download:	download sample
Signature	BazarCall Create hunting rule
File size:	636'416 bytes
First seen:	2021-03-31 07:22:54 UTC
Last seen:	2021-04-01 02:50:49 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	ae6670dd686f9d530d4808f1361603cb (3 x BazarCall)
ssdeep	12288:m4PBwrTaTpdCylMI8K+iWiifZ1lb2aObp9FP40C2g1BJ0duLjIfuAuxWRxWTHpyl:Cq3xW+cgidFw
Threatray	18 similar samples on MalwareBazaar
TLSH	CFD48E07ACBF6257DD6EC17E0186C57E2E556CC00291CFAFE9058752A9033E2A9E633D
Reporter	abuse_ch
Tags:	BazarCall exe

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

46bb7c8edade2a3cafb4e69bf3c64bcd.exe

Verdict:

No threats detected

Analysis date:

2021-03-31 07:33:47 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b0fdf674-f3c5-41b0-b711-805e81a68da4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/129193/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Cobaltstrikeml.1685.18623.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Transferring files using the Background Intelligent Transfer Service (BITS)

Sending a custom TCP request

Sending a UDP request

Launching a process

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

Unknown

Detection:

malicious

Classification:

evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/659968

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Modifies the context of a thread in another process (thread injection)

Multi AV Scanner detection for submitted file

Sample uses process hollowing technique

Sets debug register (to hijack the execution of another thread)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Writes to foreign memory regions

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70/

Threat name:

Win64.Trojan.Generic

Status:

Suspicious

First seen:

2021-03-30 19:02:41 UTC

AV detection:

9 of 29 (31.03%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=zbiqamnincvy54vrdjbgduvlvde34jjcsr4a7lvack72stdnbrya._file

Verdict:

suspicious

BazarCall

2fe32b0f648bfe69c9873c7a57a62358057eab750a081f9285c11e94327c42d6

BazarCall

42edefa09a3d85a3d4284f6ef57691c8b409ac00da21c799ae14b1adf17435f0

BazarCall

540d75f2828a1eaec24e7e1eef405b850a49d3f86a3fbde661fd7c69f2528d8f

BazarCall

5edd735e3c6b81d985f3eadd1f8cae24091b947699f1152528566124f22d5341

BazarCall

74d117615930c1a51e28e7db460a6f6135eb5070f0975598267e7f07d5a170f7

BazarCall

bdbe4c345b4e7c8ae008c86bb052f015050a7d62d28c3507eaaa329d00f30572

BazarCall

cac07a4582d65b74322168e6aed9d7fd05e59e335fb7d1cdb7b5f7149a07d3eb

BazarCall

d22f536d4d6cc001271855f4467af0bbc656801e1ffa34a8acd905db56cebae0

BazarCall

f0548ac778c8bcea06c577a13e7b0856b73838715c2fab1b1e83096e2333f82f

BazarCall

+ 8 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/210331-pdvp58l57e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Blocklisted process makes network request

Unpacked files

SH256 hash:

c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70

MD5 hash:

46bb7c8edade2a3cafb4e69bf3c64bcd

SHA1 hash:

495bdcb4c36c150f23c7e6156cc1486586e26b17

Link:

https://www.unpac.me/results/a0c3b80c-9c0f-4067-a254-ed4bc39d5567/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Bazar

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

BazarCall

exe c8510031a868ab8ef2b11a4261d2aba8c9be252294780faea012bfa94c6d0c70

(this sample)

Cape

https://www.capesandbox.com/analysis/129193/

URLhaus

https://urlhaus.abuse.ch/url/1099472/

Delivery method

Distributed via web download

URLhaus

https://urlhaus.abuse.ch/url/1099481/

URLhaus

https://urlhaus.abuse.ch/url/1099486/

URLhaus

https://urlhaus.abuse.ch/url/1099489/

URLhaus

https://urlhaus.abuse.ch/url/1099490/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample